XSS found in Ionosphere template
-
-
- dps
- Newbie
- Posts: 1
- Thanks: 2
-
I found a XSS in the Ionosphere template v1.10 on Joomla 3.4 and Gantry 4. I have started to test with some other templates and have found the same result.
A Reflected Cross-Site Scripting vulnerability was found in the following pages:
• /
• /index.php
• /index.php/component/content/
• /index.php/component/search/
• /index.php/component/users/
Each of these pages uses a variable called “option”. Whatever value is passed to the “option” variable via the URL is returned as a class in the HTML body. For example, after performing the following request:
/index.php?option=”onload=”alert(‘xss’)”
The following was found in the HTML response:
<body class="accent-overlay-dark body-overlay-light bg-overlay-dark bg-pattern-dustnscratches headerwidth-full font-family-ionosphere font-size-is-default logo-text-1 logo-icon-1 menu-type-fusionmenu inputstyling-enabled-1 typography-style-light col12 option-"onload="aler(‘xss’)"">
I installed a brand new joomla instance and then gantry and the Ionosphere template and the then I was able to exploit the template.
I was able to find this vulnerability in IE and FF.
Credit for discovering the vulnerability should go to Michael Butler, Senior Penetration Tester at Defense Point Security. - Last Edit: 10 years 1 month ago by dps. Reason: Adding in version information, and giving the credit to the correct person.
-
-
-
- MrT
- Preeminent Rocketeer
- Posts: 101084
- Thanks: 13484
- Web Designer/Developer
-
Thanks for letting us know - our DEVS will investigate this and we'll get back to you here soon.
Regards, Mark. - Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information.
-
-
-
- MrT
- Preeminent Rocketeer
- Posts: 101084
- Thanks: 13484
- Web Designer/Developer
-
So our DEVS have had a quick look and are inclined to agree with your assessment - we will be correcting this in the next release of Gantry 4.
Thank you very much for reporting this to us.
Regards, Mark. - Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information.
-
-
-
- MrT
- Preeminent Rocketeer
- Posts: 101084
- Thanks: 13484
- Web Designer/Developer
-
This message contains only secure information that is visible to MrT, moderators and administrators
- Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information.
-
-
-
- MrT
- Preeminent Rocketeer
- Posts: 101084
- Thanks: 13484
- Web Designer/Developer
-
We've just released Gantry 4.1.29 that addresses the issue that you reported - thanks again for reporting it to us.
Regards, Mark. - Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information.
-
Time to create page: 0.036 seconds