183672 – www-apps/joomla < 1.0.13 XSS

Bug 183672 - www-apps/joomla < 1.0.13 XSS

Summary: www-apps/joomla < 1.0.13 XSS

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/25804/
Whiteboard:	~4 [noglsa] p-y
Keywords:

Depends on:
Blocks:

Reported:	2007-06-29 18:24 UTC by Pierre-Yves Rofes (RETIRED)
Modified:	2007-08-09 13:04 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
joomla-1.0.13.ebuild (joomla-1.0.13.ebuild,1.17 KB, text/plain) 2007-08-01 15:03 UTC, Bjoern Olausson	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-06-29 18:24:39 UTC

Cindy Chee has discovered a vulnerability in Joomla!, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "Title" and "Section Name" form fields when creating new sections in Section Manager is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the data is viewed.

Successful exploitation requires that the target user has valid administrator credentials.

The vulnerability is confirmed in version 1.0.12. Other versions may also be affected.

Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-06-29 18:25:44 UTC

setting status and cc'ing herd.

Comment 2 Carsten Lohrke (RETIRED) gentoo-dev

2007-07-26 10:33:58 UTC

from 1.0.13 Changelog:

* SECURITY A6 [LOW Level]: Fixed [#5630] HRS attack on variable "url"
* SECURITY A1 [LOW Level]: Fixed [#5654] Multiple fields subjected to cross-site scripting vulnerabilities
* SECURITY A7 [LOW Level]: Fixed possible session fixation vulnerability in administrator application


http://www.joomla.org/content/view/3670/78/

Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-07-26 11:20:19 UTC

thanks for the info carlo.
web-apps, please bump.

Comment 4 Bjoern Olausson 2007-08-01 15:03:14 UTC

Created attachment 126615 [details]
joomla-1.0.13.ebuild

I couldn't wait so here is a versionbump to 1.0.13

Copy the postinstall txt file from the official one to files dir in your overlay.

worked fine for me on http://olausson.de/ http://tanzclub-halle.de

regards
Bjoern

Comment 5 Bjoern Olausson 2007-08-01 15:47:16 UTC

By the way, why not add the following statment at the beginning?

if [[ -e ${MY_HTDOCSDIR}/INSTALL && -d ${MY_HTDOCSDIR}/INSTALL ]] ; then INSTALLED="NO" ; else INSTALLED="YES" ; fi

And after copying the files we would remove the INSTALLED dir to prevent the user from manually removing the INSTALL dir.

if [[ "$INSTALLED" == "YES" ]] ; then rm -rf ${MY_HTDOCSDIR}/INSTALL ; fi

But it would be way better to not copy the INSTALL dir at all if joomla is already installed and configured.

regards
Bjoern

Comment 6 Gunnar Wrobel (RETIRED) gentoo-dev

2007-08-09 12:43:58 UTC

Thanks for the ebuild. Added to CVS.

Package marked unstable on all archs. I removed 1.0.12 so I guess this is fixed.

@Björn: 

The suggestion you have concerning the INSTALL dir would not work because of the way we use webapp-config. At least I assume that without further checking :) But during the installation we actually don't know if the webapp is actually installed or not. In any case such problems basically result from the way PHP stuff is installed which is somewhat flawed.

Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-08-09 13:04:41 UTC

thanks guys, closing.