The Joomla! Forum ™

Just found this on National Vulnerability Database, posted on 12th Oct 2007.

Cross-site scripting (XSS) vulnerability in the com_search component in Joomla! 1.0.13 and earlier allows remote attackers to inject arbitrary web script or HTML via the searchword parameter.

Link to notice - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5427

Listed on Security Focus with a little more information http://www.securityfocus.com/bid/26031/info

Also listed on various hacking sites.

Any advice on what to do to prevent this?

_________________
Geo

http://www.dalserf.org
http://www.improveyoursnooker.net

Core / Developers are already aware of this and working on it. It's actually not a real XSS issue, as you are only able to cause a javascript popup. You are also limited to 20 characters and only to the search component, not to the rest of the CMS.

As I said, it's being worked on right now, and it will at least be fixed in SVN.

_________________
Regards Robin

http://www.linkedin.com/in/robinmuilwijk - http://twitter.com/i_robin

Is there a way to monitor the status of this fix?

Thanks,
KP

That is possibly one of the most misleading replies I have ever read from someone in a position of authority in Joomla.

1) by definition this is a XSS issue! Being able to generate a popup is an XSS issue.
2) Just cause its limited to 20 chars doesn't mean its not a problem - actually I created a proof of concept where I was able to steal the cookie using this exploit!!!!!
3) This is not fixed in SVN, you posted on 14th October and No changes have been made since then until last night for another exploit fix.

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://fix.myjoomla.com/ Same day commercial fixes for Joomla sites worldwide
-- http://www.phil-taylor.com/

Phil, I\'m sure you love to help, but you are fixing to be banned.

around here, nobody likes somebody who is wiseass or,  simply, wise.

try to be a bit more *blond* and all should go well

I'm amazed by your post - simply amazed.

I refuse to be quiet about security issues.

If I get banned for being a pain in the rear regarding security issues then so be it.

I am not trying to be a wiseass, but I do have a hell of a lot of experience in this and a previous CMS project that I bring to each post.

Factually incorrect and misleading posts (especially about security) should be corrected when found.

I stand by my post.

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://fix.myjoomla.com/ Same day commercial fixes for Joomla sites worldwide
-- http://www.phil-taylor.com/

@cariboo: big words for a "New Member". Is your promotion to moderator pending?

_________________
Victor Drover - Curator, Joomla Extensions Directory
http://anything-digital.com
The home of JCal Pro (the Joomla event calendar) and sh404SEF - SEO & security for Joomla

Phil is spot on. Please refrain from issuing gag orders.

_________________
cmsconnection.com/forum - the multi-cms forum

@Cariboo
That's a little short-sighted on your part, I think.  Phil has provided some very valuable insight to problems in Joomla that no one else has bothered to address in this post.  We have around 30 Joomla-based 1.0.x sites that are LIVE and they are ALL failing our security checks, mainly because of XSS scripting.  So, if someone as experienced as Phil ( http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,353/Itemid,35/ ) says he can steal a cookie using an exploit that is less that 20 characters, we stand up and take notice.  If it bothers you he is posting his useful information, then I recommend you just ignore it.  Some of us out here depend on that kind of information.  Grow up for crying out loud.

_________________
-----
Making social sites functional: http://www.simbunch.com/
http://twitter.com/simbunch

Probably the reason this has not been fixed quickly is because the root cause of the problem is the way that page navigation class is used to create limit drop down box. The pageNav class is different for the frontend and the admin side.

That attached file diff fixes this issue on Joomla 1.0.13

The diff will add a new function to your frontend pageNav class (duplicate of the method in admin) and then tweak your com_search to use that new method instead.

Nothing fancy or pretty, infact its ugly but works.

Tested and working - also nukes the current XSS in com_search as no longer is the searchword passed around into javascript strings in onchange commands.

now smile!

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://fix.myjoomla.com/ Same day commercial fixes for Joomla sites worldwide
-- http://www.phil-taylor.com/

Awesome, Phil!  Thanks.  I will test it out ASAP.  Not bad for a "WiseAss"!  (hehe, just kidding)

cheers.

_________________
Victor Drover - Curator, Joomla Extensions Directory
http://anything-digital.com
The home of JCal Pro (the Joomla event calendar) and sh404SEF - SEO & security for Joomla

Phil, I sent you a private msg, so please ignore that.  I will just ask my question here.....

Our security scans reported problems with XSS exploits using other com objects.  Would your fix correct the
problems in com_content, for instance?  How about a URL like "index.php?fontstyle=f-smaller....... ??  (I can provide a specific example in private if you need it)

Thanks again,
Kepper

No - this diff file is specific to the XSS reported in the com_search component and will not fix any other XSS (If they exist)

If you would like to forward a proof of concept for any other type of XSS in core components I will happy to take a look

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://fix.myjoomla.com/ Same day commercial fixes for Joomla sites worldwide
-- http://www.phil-taylor.com/

Actually, I will e-mail it to you... I just realized we could do that.  I'm not much of a bulletin boarder.. sorry.

-Kepper



Ok.. I have a list.  I will send to you in private.  It is detailed and we don't want anyone to get any ideas from the report.

Keep a lookout in your private inbox.

Thanks,
Kepper

Thanks for you work Phil! 

_________________
Follow me on Twitter @compassdesign
www.compassdesigns.net - Get get free templates and news for Joomla
simplweb.com/joomla-hosting - Fully Managed Joomla Hosting - Unlimited Support

Will there be an official fix coming out soon, or should we implement this fix?

_________________
http://www.dart-creations.com - We make Joomla Easy: Tutorials, Tips and Tricks, Lots of Free Modules incl. Featured Articles, Popin Window, Visitors Map, Random Flash, Slide Menu (dropdown), 2CO / Paypal payment, YouTube module, and more!

I cannot say that there will or will not be an official fix coming - all I know is my fix , fixes the reported XSS in com_search.

Youa re free to implement my suggested changes.

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://fix.myjoomla.com/ Same day commercial fixes for Joomla sites worldwide
-- http://www.phil-taylor.com/

It's being looked into.  However it would *really* help out for people writing patches to also log a tracker item with the patch and if it's a security problem raise it with the highest priority.  Post here if you like but also do it in the tracker please (if you are mailing me directly with a "key look at this", please make sure you are pointing me to the tracker entry and that can point back to the forum as a reference).  That will help us a lot.

Also, for the old-timers around, if you see critical issues that are not resolved in the forum, check to see if they are in the tracker, and if they aren't it would be a great help if you could raise it for us.  Thanks in advance.

_________________
Andrew Eddie - Tweet @AndrewEddie
<><
http://learn.theartofjoomla.com - Joomla 1.6 training videos!
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

Why WOULDNT it be?

I figure I can CUT AND PASTE vaguely relevant and almost responsive snippets from the FAQS  (to your *Ive just been hacked!* posts ) just as well as any of them!

Ok guys keep it down.  Let's replace points scoring with problem fixing.  Thanks.

_________________
Andrew Eddie - Tweet @AndrewEddie
<><
http://learn.theartofjoomla.com - Joomla 1.6 training videos!
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

Phil and others, please test the SVN copy of 1.0 and see if the exploit is still available.  Thanks.

_________________
Andrew Eddie - Tweet @AndrewEddie
<><
http://learn.theartofjoomla.com - Joomla 1.6 training videos!
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

We had several XSS exploits show up in a security test of our latest Joomla 1.0.13 based website.  I sent Phil Taylor the list from the report scan.  He checked them and was unable to duplicate the problem on his end and basically called them false positives.  That led me to think it was possibly the template we were using.  Sure enough, when we switched away from the template to the default Joomla template, none of the XSS exploits manifested themselves.  We contacted our template vendor and they immediately looked into and solved our problem.  They are going to make an update available ASAP.  I don't want to mention their name only because I don't want them to receive any bad press.  They jumped on the problem and fixed it and we are happy.  If you have to know, go to some of the major Joomla theme providers (I have no idea how many there are) and check their announcements.

Bottom line:  The problem reported in this thread is not necessarily a Joomla problem.  If you are using a third party template, go back to the original and test against that.

The fix was basically to intercept the URL variables and wash them through mosGetParam().

$foo = mosGetParam( $_REQUEST, 'foo' );

Many thanks to Phil Taylor.  He took the time to help us and the Joomla community out.  We will definitely be sending business his way in the very near future.

Thanks kepper for the update.

_________________
Andrew Eddie - Tweet @AndrewEddie
<><
http://learn.theartofjoomla.com - Joomla 1.6 training videos!
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

Could you PM me with some details of the issue regarding templates please

_________________
Follow me on Twitter @compassdesign
www.compassdesigns.net - Get get free templates and news for Joomla
simplweb.com/joomla-hosting - Fully Managed Joomla Hosting - Unlimited Support

Out of curiosity, what did you use to scan your website?

The report has a logo titled "SPI Dynamics" on it.  So, I assume that is the program used.  Another department in our corporation actually performed the scan and sent the report to us.

@Compass: I will PM you even though you are offline.  I assume you will still get the message in your inbox.

Could it be this http://www.spidynamics.com/

_________________
Geo

http://www.dalserf.org
http://www.improveyoursnooker.net