Temporary Joomla 1.5.20 XSS Hotfix
Posted in Joomla!
2010-10-07 21:47:22 +0000 UTC
The guys over at YGN posted a video today of a 0-day Joomla! 1.5.20 XSS flaw. I've taken a look and have a quick fix that should prevent exploitation.
The flaw is in libraries/joomla/document/html/html.php, line 127:
function addHeadLink($href, $relation, $relType = 'rel', $attribs = array()) { $attribs = JArrayHelper::toString($attribs); $generatedTag = '<link href="'.$href.'" '.$relType.'="'.$relation.'" '.$attribs; $this->_links[] = $generatedTag; }
Here's the (admittedly dirty) fix:
function addHeadLink($href, $relation, $relType = 'rel', $attribs = array()) { $attribs = JArrayHelper::toString($attribs); $generatedTag = '<link href="'.htmlspecialchars(html_entity_decode($href)).'" '.$relType.'="'.$relation.'" '.$attribs; $this->_links[] = $generatedTag; }
UPDATE: Thanks fw116 at the Joomla! forums for pointing out I had the wrong file path!