Joomla Cross-Site Scripting and SQL Injection Vulnerabilities

SECUNIA ADVISORY ID:
SA40644

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/40644/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=40644

RELEASE DATE:
2010-07-16
DESCRIPTION:
Multiple vulnerabilities have been reported in Joomla, which can be
exploited by malicious users to conduct SQL injection attacks and by
malicious people to conduct cross-site scripting attacks.

1) Input passed via unspecified parameters is not properly sanitised
before being used in a SQL query. This can be exploited to manipulate
SQL queries and disclose internal path information via SQL error
messages.

Successful exploitation requires "Back-end" permissions.

2) Input passed to unspecified parameters in the administrative
section is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.

3) Input passed to unspecified parameters in the administrative
section is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.

The vulnerabilities are reported in versions prior to 1.5.19.

SOLUTION:
Update to version 1.5.19 or later.

PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Andy Gorges.
2) The vendor credits Jose Antonio Vazquez Gonzalez.
3) The vendor credits oCERT.

ORIGINAL ADVISORY:
http://developer.joomla.org/security/news/315-20100701-core-sql-injection-internal-path-exposure.html
http://developer.joomla.org/security/news/316-20100702-core-xss-vulnerabillitis-in-back-end.html
http://developer.joomla.org/security/news/317-20100703-core-xss-vulnerabillitis-in-back-end.html
http://developer.joomla.org/security/news/318-20100704-core-xss-vulnerabillitis-in-back-end.html