Joomla! cgTestimonial Component Cross-Site Scripting and Arbitrary File Upload

SECUNIA ADVISORY ID:
SA40926

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/40926/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=40926

RELEASE DATE:
2010-08-09
DESCRIPTION:
Salvatore Fresta has discovered some vulnerabilities in the
cgTestimonial component for Joomla!, which can be exploited by
malicious users and malicious people to compromise a vulnerable
system and by malicious people to conduct cross-site scripting
attacks.

1) Input passed to the "url" parameter in
components/com_cgtestimonial/video.php is not properly sanitised
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a users browser session in context
of an affected site.

2) An error in the components/com_cgtestimonial/cgtestimonial.php
script allows upload of files with arbitrary extensions to a folder
inside the web root. This can be exploited to execute arbitrary PHP
code by uploading a PHP file with e.g. an "image/jpg" content type.

3) An error in the
administrator/components/com_cgtestimonial/testimonial.php script
allows upload of files with arbitrary extensions to a folder inside
the web root. This can be exploited to execute arbitrary PHP code by
uploading a PHP file with e.g. an "image/jpg" content type.

Successful exploitation of this vulnerability requires "Public
Back-end" permissions.

The vulnerabilities are confirmed in version 1.0. Other versions may
also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.
Restrict access to the components/com_cgtestimonial/user_images
directory (e.g. via .htaccess)

PROVIDED AND/OR DISCOVERED BY:
Salvatore Fresta aka Drosophila

ORIGINAL ADVISORY:
http://adv.salvatorefresta.net/cgTestimonial_2.2_Joomla_Component_Multiple_Remote_Vulnerabilities-06082010.txt


RECENT ARTICLE

RECENT POST