Support

Admin Tools

#13672 Cross-site scripting vulnerability?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Friday, 28 September 2012 10:40 CDT

Thursday, 27 September 2012 12:15 CDT

user60941
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: (2.5.7)
PHP version: (5.3)
MySQL version: (5.0)
Host: (GoDaddy)
Admin Tools version: (2.3.2)

Description of my issue:

I use GoDaddy's website scanner as a backup for Admin Tools, and here's the kind of warning it issued. Note that I turned on the cross-site block in WAF before:

Synopsis:

Your website is vulnerable to cross-site scripting attacks.

Description:

Your website contains pages that do not properly sanitize visitor-provided input to make sure
it contains no malicious content or scripts. Cross-site scripting vulnerabilities let
malicious users execute arbitrary HTML or script code in another visitor's browser.

Output:

The request string used to detect this flaw was :
/cross_site_scripting.nasl.asp
The output was :
HTTP/1.1 404 Not Foundr
Date: Tue, 11 Sep 2012 09:09:50 GMTr
Server: Apacher
X-Powered-By: Integrityr
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"r
Cache-Control: no-cacher
Pragma: no-cacher
Set-Cookie: 2f4b27f97f06a134af69ddcdc426c684=98dca1ff92d6e4f9ea71dd1ab70f7fb5; path=/r
Keep-Alive: timeout=5, max=100r
Connection: Keep-Aliver
Transfer-Encoding: chunkedr
Content-Type: text/html; charset=utf-8r
r

CVE : CVE-2002-1700, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681
BID : 5011, 5305, 7344, 7353, 8037, 14473, 17408
Other references : OSVDB:18525, OSVDB:24469, OSVDB:42314, OSVDB:4989, OSVDB:58976, CWE:79, CWE:80, CWE:81, CWE:83, CWE:20, CWE:74, CWE:442, CWE:712, CWE:722, CWE:725, CWE:811, CWE:751, CWE:801, CWE:116

Thursday, 27 September 2012 12:20 CDT

nicholas
I am confused... Joomla! returns a 404 (Not Found) error page, yet GoDaddy's scanner considers this a vulnerability? Not to mention that the CVEs referenced are:
CVE-2002-1700: Vulnerability in ColdFusion
CVE-2003-1543: Vulnerability in Bajie Http Web Server
CVE-2005-2453: Vulnerability in NetworkActiv Web Server
CVE-2006-1681: Vulnerability in Cherokee HTTPD 0.5

What the...?! Are these people smocking crack?

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 28 September 2012 09:41 CDT

user60941
I must say that, I forgot what and how I did it, but instead of a 404 page, a missing/wrong URL requests are being forwarded to the main page on my web site. Is that a problem?

They also posted a separate warning as follows. Note, I use JReviews for ratings and reviews:

Synopsis:

The remote web server is prone to cross-site scripting attacks.

Description:

The remote web server hosts cgi scripts that fail to adequately sanitize parameters name of
malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site.

Output:

Using the GET HTTP method, Site Scanner found that :
+ The following resources may be vulnerable to XSS (on parameters names) :
/resorts/americas/resorts?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%65%72
%74%28%33%31%33%29%3C%2F%73%63%72%69%70%74%3E=1
-------- request --------
GET /resorts/americas/resorts?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%33%31%33%29%3C%2F%73%63%72%69%70%74%3E=1 HTTP/1.1\r
Host: mydomain.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 2f4b27f97f06a134af69ddcdc426c684=79a899be4ce16e3808d28e9efd156f7d\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
<!--[if lte IE 6]><script type="text/javascript" src="https://www.akeeba.com/components/ [...]
<script type="text/javascript" src="http://connect.facebook.net/en [...]
[...] s/americas/resorts? <script>alert(313)</script>=1';}});}}};function fa [...]
--></script>
<link rel="stylesheet" type="text/css" href="http://mydomain.com [...]
------------------------
/resorts/americas/resorts/?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%65%7
2%74%28%33%31%33%29%3C%2F%73%63%72%69%70%74%3E=1
-------- request --------
GET /resorts/americas/resorts/?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%33%31%33%29%3C%2F%73%63%72%69%70%74%3E=1 HTTP/1.1\r
Host: mydomain.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 2f4b27f97f06a134af69ddcdc426c684=79a899be4ce16e3808d28e9efd156f7d\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
<!--[if lte IE 6]><script type="text/javascript" src="https://www.akeeba.com/components/ [...]
<script type="text/javascript" src="http://connect.facebook.net/en [...]
[...] /americas/resorts/? <script>alert(313)</script>=1';}});}}};function fa [...]
--></script>
<link rel="stylesheet" type="text/css" href="http://mydomain.com [...]
------------------------
/resorts/americas?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%33%
31%33%29%3C%2F%73%63%72%69%70%74%3E=1
-------- request --------
GET /resorts/americas?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%33%31%33%29%3C%2F%73%63%72%69%70%74%3E=1 HTTP/1.1\r
Host: mydomain.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 2f4b27f97f06a134af69ddcdc426c684=79a899be4ce16e3808d28e9efd156f7d\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
<!--[if lte IE 6]><script type="text/javascript" src="https://www.akeeba.com/components/ [...]
<script type="text/javascript" src="http://connect.facebook.net/en [...]
[...] m/resorts/americas? <script>alert(313)</script>=1';}});}}};function fa [...]
--></script>
<link rel="stylesheet" type="text/css" href="http://mydomain.com [...]
------------------------
/resorts/americas/north-america/?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%
65%72%74%28%33%31%33%29%3C%2F%73%63%72%69%70%74%3E=1
-------- request --------
GET /resorts/americas/north-america/?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%33%31%33%29%3C%2F%73%63%72%69%70%74%3E=1 HTTP/1.1\r
Host: mydomain.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 2f4b27f97f06a134af69ddcdc426c684=79a899be4ce16e3808d28e9efd156f7d\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
<!--[if lte IE 6]><script type="text/javascript" src="https://www.akeeba.com/components/ [...]
<script type="text/javascript" src="http://connect.facebook.net/en [...]
[...] ricas/north-america/? <script>alert(313)</script>=1';}});}}};function fa [...]
--></script>
<link rel="stylesheet" type="text/css" href="http://mydomain.com [...]
------------------------
/resorts/americas/north-america?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%6
5%72%74%28%33%31%33%29%3C%2F%73%63%72%69%70%74%3E=1
-------- request --------
GET /resorts/americas/north-america?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%33%31%33%29%3C%2F%73%63%72%69%70%74%3E=1 HTTP/1.1\r
Host: mydomain.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 2f4b27f97f06a134af69ddcdc426c684=79a899be4ce16e3808d28e9efd156f7d\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
<!--[if lte IE 6]><script type="text/javascript" src="https://www.akeeba.com/components/ [...]
<script type="text/javascript" src="http://connect.facebook.net/en [...]
[...] ericas/north-america? <script>alert(313)</script>=1';}});}}};function fa [...]
--></script>
<link rel="stylesheet" type="text/css" href="http://mydomain.com [...]
------------------------
/contact?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%33%31%33%29%3C
%2F%73%63%72%69%70%74%3E=1
-------- request --------
GET /contact?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%33%31%33%29%3C%2F%73%63%72%69%70%74%3E=1 HTTP/1.1\r
Host: mydomain.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 2f4b27f97f06a134af69ddcdc426c684=79a899be4ce16e3808d28e9efd156f7d\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<script type="text/javascript" src="http://connect.facebook.net/en [...]
[...] teaplace.com/contact? <script>alert(313)</script>=1';}});}}};function fa [...]
--></script>
------------------------
/resorts/americas/?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%33
%31%33%29%3C%2F%73%63%72%69%70%74%3E=1
-------- request --------
GET /resorts/americas/?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%33%31%33%29%3C%2F%73%63%72%69%70%74%3E=1 HTTP/1.1\r
Host: mydomain.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 2f4b27f97f06a134af69ddcdc426c684=79a899be4ce16e3808d28e9efd156f7d\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
<!--[if lte IE 6]><script type="text/javascript" src="https://www.akeeba.com/components/ [...]
<script type="text/javascript" src="http://connect.facebook.net/en [...]
[...] /resorts/americas/? <script>alert(313)</script>=1';}});}}};function fa [...]
--></script>
<link rel="stylesheet" type="text/css" href="http://mydomain.com [...]
------------------------
/resorts/americas/north-america/usa?%FF%FE%3C%73%63%72%69%70%74%3E%61%
6C%65%72%74%28%33%31%33%29%3C%2F%73%63%72%69%70%74%3E=1
-------- request --------
GET /resorts/americas/north-america/usa?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%33%31%33%29%3C%2F%73%63%72%69%70%74%3E=1 HTTP/1.1\r
Host: mydomain.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 2f4b27f97f06a134af69ddcdc426c684=79a899be4ce16e3808d28e9efd156f7d\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
<meta property="og:description" content="Resorts reviews, rating, [...]
<script type="text/javascript" src="http://connect.facebook.net/en [...]
[...] as/north-america/usa? <script>alert(313)</script>=1';}});}}};function fa [...]
--></script>
------------------------
Other references : CWE:79, CWE:80, CWE:81, CWE:83, CWE:20, CWE:74, CWE:442, CWE:712, CWE:722, CWE:725, CWE:811, CWE:751, CWE:801, CWE:116
Edited by user60941 on 2012-09-28 09:41 CDT

Friday, 28 September 2012 10:05 CDT

nicholas
OK, that's more like it and does look like a legitimate XSS attack. First, update everything to the latest release. This includes components, modules, plugins and templates (don't forget templates use PHP code too).

See if visiting the malicious URL (/resorts/americas/resorts?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%33%31%33%29%3C%2F%73%63%72%69%70%74%3E=1) results in a popup to appear on the page.

If it does you have to determine which extension (component, module, plugin or the template itself) is generating the Javascript on the page which is vulnerable to XSS. You can do that by disabling the extensions running on the page one by one and revisiting it, until you can no longer get the alert box popping up. Then contact its developer and give him the same information you did with me.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 28 September 2012 10:35 CDT

user60941
Everything is updated.

I tested that URL and no pop ups.

Friday, 28 September 2012 10:37 CDT

nicholas
...which means that there is no XSS vulnerability.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 28 September 2012 10:38 CDT

user60941
OK, I will be ignoring those warnings then. Thanks a lot!

Friday, 28 September 2012 10:40 CDT

nicholas
Well, I'd suggest talking to your host. If you are visiting the same URL and you see no XSS vulnerability you are at a position when you don't know if you can trust their scanner. Since it's part of their service, ask them for support about it. They should give it to you.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!