Westpoint Security Advisory --------------------------- Title: Joomla! 1.5.9 - Cross-Site Scripting Vulnerability in index.php Risk Rating: Medium Platforms: PHP (Windows and Unix) Author: Andrew Paterson <andrew@westpoint.ltd.uk> Date: 12 Mar 2009 Advisory ID#: wp-09-0004 URL: http://www.westpoint.ltd.uk/advisories/wp-09-0004.txt CVE: number requested from cve@mitre.org on 05 Mar 2009 Overview -------- Joomla 1.5.9 contains a flaw in index.php which exposes users to cross-site scripting exploits. Details ------- http://{joomla_location}/index.php is cross-site script-able in the "com_content" view, via the "filter" parameter. An example which demonstrates this (using the default sample data provided with Joomla) is: http://{joomla_location}/index.php?option=com_content&view=category&id=29:the-cms&Itemid=37&layout=default&filter=%22%20onfocus=%22alert(%27Vulnerable%27);%22/%3E This script filters out angle-bracket pairs to remove user-provided HTML tags, but allows double quotes through and also allows a single "greater than" angle bracket through, allowing the input tag to be closed. Impact ------ This flaw allows a potential attacker to inject malicious JavaScript or HTML code, which will run at the same trust level as the server. This may enable them to steal session cookies, form details, or other information. Timeline -------- 12 Mar 2009 Joomla! authors informed of the vulnerability 25 Mar 2009 Joomla! security news announces the fix: http://developer.joomla.org/security/news/294-20090302-core-comcontent-xss.html 28 Mar 2009 Joomla! 5.2.10 released with fix applied: http://www.joomla.org/announcements/release-news/5231-joomla-1510-security-release-now-available.html