[ TITLE ....... ][ Joomla 2.5.3 reflected XSS and/or Information disclosure [ DATE ........ ][ 26.03.2012 [ AUTOHR ...... ][ http://hauntit.blogspot.com [ SOFT LINK ... ][ http://joomla.org [ VERSION ..... ][ 2.5.3 [ TESTED ON ... ][ LAMP [ ----------------------------------------------------------------------- [ [ 1. What is this? [ 2. What is the type of vulnerability? [ 3. Where is bug :) [ 4. More... [--------------------------------------------[ [ 1. What is this? This is very nice CMS, You should try it! ;) [--------------------------------------------[ [ 2. What is the type of vulnerability? This is reflected cross-site scripting. The same way attacker can use to get information about localization of Your installed Joomla. Try to send to your-joomla normal HTTP GET to any link You'll choose. This is no matter. But change default 'localhost' or similar string and send Your XSS-payload via this header. In the same way we can get path/to/cms. Enjoy. [--------------------------------------------[ [ 3. Where is bug :) 'Host' header. (Because value from this header is used after request in HTML. :) [--------------------------------------------[ [ 4. More... - http://joomla.org - http://hauntit.blogspot.com - http://www.google.com - http://portswigger.net [ [--------------------------------------------[ [ All questions about new projects @ mail :) ] [ Best regards [