Menu Content

Support

> Forums, FAQs & Paid Support
Welcome, Guest
Username Password: Remember me

XSS and URL manipulation security issues
(1 viewing) (1) Guest
Support forum for customers who have purchased this product with priority support pack. Archive only, no new post can be added.

NOTE: This category has been locked. If you have purchased paid version, please, use our Support Ticket system instead. If you are using free edition, please see the Community Support section.
  • Page:
  • 1

TOPIC: XSS and URL manipulation security issues

XSS and URL manipulation security issues 5 years, 1 month ago #44486

I have two outstanding security issues with my site which I believe lie with JoomSEF.

Issue Number 1 - URL manipulation

Loading a URL with a single quote at the end gives an unhandled error and appears to show some JoomSEF SQL. For example: staging-www.mdbcloud.co.uk/getting-started'

Issue Number 2 - Arbitrary URL XSS

Go to one of our URLs:
staging-www.mdbcloud.co.uk/blog/entry/will-hs2-change-your-life

Use a web proxy tool like "Burp" to capture the request. Use this to change the value of the URL from:

GET /blog/entry/will-hs2-change-your-life HTTP/1.1

to

GET /blog/entry/will-hs2-change-your-life<script>alert('123');</script> HTTP/1.1

Then forward this (and all other requests) and an error page will be shown, and the script will execute in the user's browser.
The topic has been locked.

Re: XSS and URL manipulation security issues 5 years, 1 month ago #44488

  • dajo
  • OFFLINE
  • Posts: 5070
Hi,

Thank you for your report, we'll check and fix these problems as soon as possible.
Could you please post the version of JoomSEF you use? Thank you.
ARTIO Support Team
The topic has been locked.

Re: XSS and URL manipulation security issues 5 years, 1 month ago #44493

Version 4.5.1
The topic has been locked.

Re: XSS and URL manipulation security issues 5 years, 1 month ago #44516

  • dajo
  • OFFLINE
  • Posts: 5070
Hi,

We've just tested the reported issues on Joomla 2.5.20 and 3.3.0.

We've confirmed that the first issue is a bug in JoomSEF and will be fixed in next version.

However the second issue is present directly in Joomla 2.5.20 even without JoomSEF, so you should report this problem to Joomla team and they should fix it in Joomla's core (the problem is present if some component displays the URL obtained from JUri::getInstance()). We couldn't confirm the problem on Joomla 3.3.0 - the URL displayed in website's source code is escaped correctly.
ARTIO Support Team
The topic has been locked.
  • Page:
  • 1
User Login Empty