jeffchannell.com

Temporary Joomla 1.5.20 XSS Hotfix

Posted in Joomla!
2010-10-07 21:47:22 +0000 UTC

The guys over at YGN posted a video today of a 0-day Joomla! 1.5.20 XSS flaw. I've taken a look and have a quick fix that should prevent exploitation.

The flaw is in libraries/joomla/document/html/html.php, line 127:

    function addHeadLink($href, $relation, $relType = 'rel', $attribs = array())
    {
        $attribs = JArrayHelper::toString($attribs);
        $generatedTag = '<link href="'.$href.'" '.$relType.'="'.$relation.'" '.$attribs;
        $this->_links[] = $generatedTag;
    }

Here's the (admittedly dirty) fix:

    function addHeadLink($href, $relation, $relType = 'rel', $attribs = array())
    {
        $attribs = JArrayHelper::toString($attribs);
        $generatedTag = '<link href="'.htmlspecialchars(html_entity_decode($href)).'" '.$relType.'="'.$relation.'" '.$attribs;
        $this->_links[] = $generatedTag;
    }

UPDATE: Thanks fw116 at the Joomla! forums for pointing out I had the wrong file path!