195710 – www-apps/joomla < 1.0.14 Multiple vulnerabilities (CVE-2007-5427 and others)

Bug 195710 - www-apps/joomla < 1.0.14 Multiple vulnerabilities (CVE-2007-5427 and others)

Summary: www-apps/joomla < 1.0.14 Multiple vulnerabilities (CVE-2007-5427 and others)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/27196/
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2007-10-13 15:49 UTC by Tobias Heinlein (RETIRED)
Modified:	2008-02-11 21:59 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tobias Heinlein (RETIRED) gentoo-dev

2007-10-13 15:49:11 UTC

MustLive has discovered a vulnerability in Joomla!, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "searchword" parameter in index.php (when "option" is set to "com_search") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation requires that the victim changes the number of search results in a drop-down box, after having clicked on the malicious link.

The vulnerability is confirmed in version 1.0.13. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Comment 1 Tobias Heinlein (RETIRED) gentoo-dev

2007-10-13 15:51:38 UTC

Web-apps, please provide an updated ebuild.

Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev

2007-10-14 06:41:05 UTC

There exists no updated source package and neither the com_search module nor index.php did seem to have any changes that relate to the issue. This requires upstream action.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2007-10-14 11:05:50 UTC

Gunnar, could you contact upstream about this please?

Comment 4 Gunnar Wrobel (RETIRED) gentoo-dev

2007-10-16 18:52:49 UTC

They know => http://forum.joomla.org/index.php/topic,222837.0.html

I'll check in a few days again

Comment 5 Gunnar Wrobel (RETIRED) gentoo-dev

2008-01-23 09:40:28 UTC

This has been discussed in the forum thread linked above and is apparently a false positive. 

I checked on 1.5.0 and could not reproduce the XSS. I suggest to close this bug.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-01-23 09:54:46 UTC

Gunnar after a quick read of the link provided I don't think it's a false positive. Also Secunia still lists it and provide a link to a patch (though I can't connect to it right now).

Comment 7 Gunnar Wrobel (RETIRED) gentoo-dev

2008-01-23 11:16:49 UTC

Yes, guess you are right, sorry. I'm still not certain if should exist on 1.5 anymore. I'll have to check the code...

Comment 8 Robert Buchholz (RETIRED) gentoo-dev

2008-02-11 21:53:38 UTC

Seems like this is finally fixed, along with other issues:
    * SECURITY [LOW]  Fixed XSS issue in Search Component.
    * SECURITY [LOW]  Fixed XSS issue in Search results pages.
    * SECURITY [LOW]  Disallowed users from adding extra wildcard filters in
      search strings.
    * SECURITY [LOW]  Fixed multiple typos in back end Content Component 
      making array integer check ineffective.
    * SECURITY [LOW]  Fixed case-sensitive flaw in Input Filter.
    * SECURITY [HIGH]  Fixed CSRF issue allowing portal compromise -
      Administrator components.

http://www.joomla.org/content/view/4563/1/

Comment 9 Robert Buchholz (RETIRED) gentoo-dev

2008-02-11 21:58:18 UTC

Just realised 1.0* is gone from the tree. So this is fixed, as the 1.5 issues are handled in bug 204335.