Joomla! XSS Vulnerabilities by Riyaz Walikar

2,990 views

Published on

Joomla! XSS Vulnerabilities by Riyaz Walikar @ null Banglore Meet, June, 2010

Published in: Technology, Design
  • Be the first to comment

Joomla! XSS Vulnerabilities by Riyaz Walikar

  1. 1. Joomla! XSS Vulnerabilities<br />-- Riyaz Ahemed Walikar<br />
  2. 2. Background<br />Joomla! - Content Management System<br />PHP, MySQL<br />Ease of design and publishing<br />Admin Module<br />User pages<br />
  3. 3. Examples<br />http://www.danone.com/?lang=en <br />http://www.itwire.com/ <br />http://vho.nasa.gov/<br />http://new.lincolncenter.org/live/<br />http://www.spl.usace.army.mil/cms/index.php <br />http://tatanano.inservices.tatamotors.com/tatamotors/index.php <br />
  4. 4. Tools<br />Local installation<br />Firefox + web developer addon<br />Patience!<br />
  5. 5. HowTo<br />Install Joomla! locally<br />Open in Firefox<br />Login to Admin Module<br />Change POSTs to GETs<br />Insert script tags and alert (‘xss’) on various URL parameters<br />If (alert=true) { print “yay!!”}<br />
  6. 6. Technojabble<br />The search parameter<br />Exploit code<br />" onmousemove=alert('xss') /><br />" onmousemove=alert(document.cookie) /><br />" onmousemove=window.location.assign(url) /><br />17 component modules<br />All versions prior to 1.5.18<br />Phishing, malware download, cookie <br /> stealing etc.<br />
  7. 7. Timeline<br />Discovered between May 10th -12th<br />Informed JSST on May 13th<br />Acknowledged on May 13th<br />Constant updates<br />Fixed version release May 28th<br />Fixed Version 1.5.18 [latest stable]<br />Bugtraq and Secunia June 2nd<br />NVD June 4th<br />
  8. 8. References<br />CONFIRM<br />http://developer.joomla.org/security/news/314-20100501-core-xss-vulnerabilities-in-back-end.html<br />CVE-2010-1649 <br />http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1649<br />BID: 40444<br />www.securityfocus.com/bid/40444<br />
  9. 9. References<br />OSVDB: 65011<br />http://www.osvdb.org/65011<br />SECUNIA: 39964<br />http://secunia.com/advisories/39964<br />Keeda ID: K-31<br />
  10. 10. Thank You!<br />riyazwalikar@gmail.com<br />

×