[UNIX] Joomla BSQ Sitestats Component Multiple Vulnerabilities
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 1 Oct 2006 08:59:29 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Joomla BSQ Sitestats Component Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
" <http://developer.joomla.org/sf/projects/bsq_sitestats> BSQ Sitestats is
a site stats module that is lightweight on the front end but offers both
tabular and graphical summaries of site visitors' sessions on the
backend". Secunia Research has discovered some vulnerabilities in the BSQ
Sitestats component for Joomla, which can be exploited by malicious people
to conduct cross-site scripting and SQL injection attacks, and to
compromise a vulnerable system.
DETAILS
Vulnerable Systems:
* BSQ Sitestats (component for Joomla) version 1.x
Immune Systems:
* BSQ Sitestats (component for Joomla) version 2.2.1
The following vulnerabilities have been discovered in BSQ Sitestats:
1) Input passed to the "ip" form field parameter when performing an IP
Address Lookup is not properly sanitized before being returned to the
user. This can be exploited to execute arbitrary HTML and script code in a
logged in administrator's browser session in context of an affected site.
2) Input passed to multiple parameters when importing the
ip-to-country.csv file is not properly sanitized before being used in a
SQL query. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code when an administrator is tricked into importing a
malicious ip-to-country.csv file.
3) Input passed via the "HTTP Referer", the "HTTP User Agent", and the
"HTTP Accept Language" Header bsqtemplateinc.php is not properly sanitised
before being used in SQL queries. This can be exploited to manipulate SQL
queries by injecting arbitrary SQL code.
Successful exploitation requires that "magic_quotes_gpc" is disabled.
4) Input passed to the "baseDir" parameter in
components/com_bsq_sitestats/external/rssfeeds.php is not properly
verified before being used to include files. This can be exploited to
execute arbitrary PHP code by including files from local or external
resources.
Successful exploitation requires that "register_globals" is enabled.
The vulnerabilities have been confirmed in version 1.8.0. Other versions
may also be affected.
Solution:
The vulnerabilities have been fixed in version 2.2.1.
Time Table:
14/09/2006 - Vendor notified.
14/09/2006 - Vendor response.
17/09/2006 - Vendor releases fixed version 2.2.1.
29/09/2006 - Public disclosure.
ADDITIONAL INFORMATION
The information has been provided by Sven Krewitt, Secunia Research.
The original article can be found at:
<http://secunia.com/secunia_research/2006-63/>
http://secunia.com/secunia_research/2006-63/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next by Date: [NT] Mercury SiteScope Cross Site Scripting (XSS)
- Next by thread: [NT] Mercury SiteScope Cross Site Scripting (XSS)
- Index(es):
Relevant Pages
|
