Joomla! JCE Component Cross-Site Scripting and Security Bypass Vulnerabilities

SECUNIA ADVISORY ID:
SA46365

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46365/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46365

RELEASE DATE:
2012-05-21

DESCRIPTION:
Secunia Research has discovered two vulnerabilities in the JCE
component for Joomla!, which can be exploited by malicious users to
bypass certain security restrictions and by malicious people to
conduct cross-site scripting attacks.

1) Input passed to the "search" parameter in administrator/index.php
(when "option" is set to "com_jce" and "view" is set to "users") is
not properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.

2) An error due to the
components/com_jce/editor/extensions/browser/file.php script not
properly verifying requests to rename files can be exploited to
rename e.g. core Joomla! configuration files, resulting in the
application becoming unavailable.

Successful exploitation of this vulnerability requires "Author"
privileges.

The vulnerabilities are confirmed in version 2.1.0. Other versions
may also be affected.

SOLUTION:
Update to version 2.1.3.

PROVIDED AND/OR DISCOVERED BY:
Jon Butler, Secunia.

ORIGINAL ADVISORY:
JCE:
http://www.joomlacontenteditor.net/news/item/jce-213-released?category_id=32