[waraxe-2012-SA#088] - Reflected XSS in Joomla 2.5.4 admin sysinfo page =============================================================================== Author: Janek Vind "waraxe" Date: 03. May 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-88.html CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2412 Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Joomla is one of the world's most popular open source CMS (content management system). With millions of websites running on Joomla, the software is used by individuals, small & medium-sized businesses, and large organizations worldwide to easily create & build a variety of websites & web-enabled applications. Vulnerable versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Affected is Joomla version 2.5.4, older versions may be vulnerable as well. ############################################################################### 1. Reflected XSS in Joomla 2.5.4 admin sysinfo page ############################################################################### CVE Information: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2012-2412 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. Vulnerability Details: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reason: outputting html data without proper encoding Attack vector: user-provided User-Agent string Preconditions: 1. target victim must be logged in as admin Result: XSS attack possibilities Source code snippet from "sysinfo.php": -----------------[ source code start ]--------------------------------- function &getInfo() { .. $this->info['useragent'] = $_SERVER['HTTP_USER_AGENT']; -----------------[ source code end ]----------------------------------- Source code snippet from "default_system.php": -----------------[ source code start ]---------------------------------