Author: Janek Vind "waraxe"
Date: 03. May 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-88.html
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2412
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
Joomla is one of the world's most popular open source CMS (content management
system). With millions of websites running on Joomla, the software is used by
individuals, small & medium-sized businesses, and large organizations worldwide
to easily create & build a variety of websites & web-enabled applications.
CVE Information:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2012-2412 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
Vulnerability Details:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
Reason: outputting html data without proper encoding
Attack vector: user-provided User-Agent string
Preconditions:
1. target victim must be logged in as admin
Result: XSS attack possibilities
Source code snippet from "sysinfo.php":
-----------------[ source code start ]---------------------------------
function &getInfo()
{
..
$this->info['useragent'] = $_SERVER['HTTP_USER_AGENT'];
-----------------[ source code end ]-----------------------------------
Source code snippet from "default_system.php":
-----------------[ source code start ]---------------------------------
<td>
<?php echo $this->info['useragent'];?>
</td>
-----------------[ source code end ]-----------------------------------
As seen above, user-provided User-Agent string is used for outputting html.
No data sanitization, which indicates Reflected XSS vulnerability issue.
20.04.2012 Developers contacted via email, no response
24.04.2012 CVE identifier request
25.04.2012 Got CVE identifier
26.04.2012 Second attempt contacting developers via email, no response
03.05.2012 Advisory published
[waraxe-2012-SA#088] - Reflected XSS in Joomla 2.5.4 admin sysinfo page
========================================================================
=======
Author: Janek Vind "waraxe"
Date: 03. May 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-88.html
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2412
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
Joomla is one of the world's most popular open source CMS (content management
system). With millions of websites running on Joomla, the software is used by
individuals, small & medium-sized businesses, and large organizations worldwide
to easily create & build a variety of websites & web-enabled applications.
Vulnerable versions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
Affected is Joomla version 2.5.4, older versions may be vulnerable as well.
########################################################################
#######
1. Reflected XSS in Joomla 2.5.4 admin sysinfo page
########################################################################
#######
CVE Information:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2012-2412 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
Vulnerability Details:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
Reason: outputting html data without proper encoding
Attack vector: user-provided User-Agent string
Preconditions:
1. target victim must be logged in as admin
Result: XSS attack possibilities
Source code snippet from "sysinfo.php":
-----------------[ source code start ]---------------------------------
function &getInfo()
{
..
$this->info['useragent'] = $_SERVER['HTTP_USER_AGENT'];
-----------------[ source code end ]-----------------------------------
Source code snippet from "default_system.php":
-----------------[ source code start ]---------------------------------
<td>
<?php echo $this->info['useragent'];?>
</td>
-----------------[ source code end ]-----------------------------------
As seen above, user-provided User-Agent string is used for outputting html.
No data sanitization, which indicates Reflected XSS vulnerability issue.
Disclosure Timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~
20.04.2012 Developers contacted via email, no response
24.04.2012 CVE identifier request
25.04.2012 Got CVE identifier
26.04.2012 Second attempt contacting developers via email, no response
03.05.2012 Advisory published
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
come2waraxe (at) yahoo (dot) com [email concealed]
Janek Vind "waraxe"
Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------
[ reply ]