Joomla! 1.6.0 Multiple Minor Vulnerabilities

Posted in Joomla!
2011-03-08 15:47:09 +0000 UTC

Now that 1.6.1 is officially released, I figured I'd go ahead and publish a few of the "sensitive" bugs I found in 1.6.0.

So without further ado...

Persistent XSS
  1. Log in as any user
  2. Edit profile
  3. Change name:
  1. Save profile
  2. Wait for admin to visit administrator/index.php?option=com_users


The following URLs caused off-site redirects.



Information Disclosure

The following url could be used to see articles regardless of user access level:


Information Disclosure

saving of user profiles did not properly sanitize the 'language' parameter

  1. Log in as any user
  2. visit index.php?option=com_users&view=profile
  3. click "Edit Profile"
  4. turn on Tamper Data
  5. submit form
  6. edit jform[params][language] and set to ../index.php%00
  7. submit data
* Failed loading XML file
* /var/www/jj/language/../index.php
* XML: ParsePI: PI php never end ...
* XML: Start tag expected, '<' not found

Unauthorized Access

The following URL will allow authenticated users with permission to access the Template Manager to edit files outside the scope of the template: