Thursday, 07 October 2010 16:47

The guys over at YGN posted a video today of a 0-day Joomla! 1.5.20 XSS flaw. I've taken a look and have a quick fix that should prevent exploitation.

The flaw is in libraries/joomla/document/html/html.php, line 127:

    function addHeadLink($href, $relation, $relType = 'rel', $attribs = array())
    {
        $attribs = JArrayHelper::toString($attribs);
        $generatedTag = '<link href="'.$href.'" '.$relType.'="'.$relation.'" '.$attribs;
        $this->_links[] = $generatedTag;
    }

Here's the (admittedly dirty) fix:

    function addHeadLink($href, $relation, $relType = 'rel', $attribs = array())
    {
        $attribs = JArrayHelper::toString($attribs);
        $generatedTag = '<link href="'.htmlspecialchars(html_entity_decode($href)).'" '.$relType.'="'.$relation.'" '.$attribs;
        $this->_links[] = $generatedTag;
    }

UPDATE: Thanks fw116 at the Joomla! forums for pointing out I had the wrong file path!

Last Updated on Thursday, 07 October 2010 22:04
 

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions