SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
Search :
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Multiple CSRF in Joomla all versions - Complete compromise


Arrow  SecurityAlert : 3505
Arrow  CVE : CVE-2007-6642
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Given : No
Arrow  Credit : Zinho
Arrow  Published : 01.01.2008

Arrow  Affected Software : Joomla All (1.0.13 and 1.5 rc3 tested)



Arrow  Advisory Text :  

[HSC] Multiple CSRF in Joomla all versions - Complete compromise


Hackers Center Security Group (http://www.hackerscenter.com)
Credit: Armando Romeo aka Zinho


Class: CSRF
Remote: Yes
Risk: HIGH

Product: Joomla
Version: All (1.0.13 and 1.5 rc3 tested)
Vendor: http://www.joomla.com
Patch: Joomla 1.5 RC4



"Joomla! is one of the most powerful Open Source Content Management
Systems on the planet. It is used all over the world for everything
from simple websites to complex corporate applications. Joomla! is easy
to install, simple to manage, and reliable"



Joomla is vulnerable to CSRF attacks into all of its released versions
including the RC3 of 1.5.


+] Affected areas

-Users
The attack allows everyone (no privileges needed) to add a new Super
Admin by just having a Super Admin visiting a url

-Extension installation
The attack allow everyone (no privileges needed) to upload an extension
from a remote location, thus having malicious PHP scripts on server.
Read PHP shell.

-Global configuration
The attack allows everyone (no privileges needed) to change all the
aspects of the site main configuration, including database configuration.

Defacement or complete portal compromise is possible including having
access to the database.


+] Notes

Joomla has been contacted on 12/4/2007. Fast and professional response
was given. Patched in SVN 4 days later and then with the RC4 release.
Time to face CSRF, community!

+] Patch

Patch of the above vulnerabilities is included into the RC4 release of
Joomla 1.5
As far as I know 1.0 has not been fixed so all the 1.0.x versions are
vulnerable and unpatched,
that's why I'm not including a POC here.

http://kit.hackerscenter.com - The most comprehensive security pack you
will ever find on the net!
--
----
Zinho

Webmaster and Founder

Hackers Center
Internet Security Portal
www.hackerscenter.com




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

Multiple Vendors libc/gdtoa printf(3) Array Overrun

Security Risk High- 2009-05-30

SecurityReason realised new advisory about vulnerabilities libc/gdtoa...
Apache RSS Apache Alert

» Apache Tomcat
   RequestDispatcher
   directory traversal
   vulnerability

» Apache mod_dav / svn
   Remote Denial of Service
   Exploit

» Apache Tomcat Information
   disclosure

» Apache Tomcat User
   enumeration vulnerability
   with FORM authentication
PHP RSS PHP Alert

» PHP 5.2.9 curl safe_mode
   & open_basedir bypass

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file
Copyright © SecurityReason.com. All Rights Reserved.