Joomla Incapsula Component <= 1.4.6_b Reflected Cross-Site Scripting Vulnerability
Title: Joomla Incapsula Component <= 1.4.6_b Reflected Cross-Site Scripting Vulnerability
Advisory ID: ZSL-2013-5121
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 08.01.2013
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Apache 2.4.2 (Win32)
PHP 5.4.4
MySQL 5.5.25a
[06.12.2012] Initial contact with the vendor.
[09.12.2012] Vendor responds asking more details.
[10.12.2012] Working with the vendor.
[20.12.2012] Vendor releases patched version 1.4.6_c.
[09.01.2013] Coordinated public security advisory released.
[2] http://packetstormsecurity.com/files/119364
[3] http://cxsecurity.com/issue/WLB-2013010070
[4] http://1337day.com/exploit/20135
[5] http://xforce.iss.net/xforce/xfdb/81090
[6] http://www.securityfocus.com/bid/57190
[7] http://secunia.com/advisories/51759
[8] http://www.osvdb.org/show/osvdb/89108
[09.01.2013] - Added reference [2], [3] and [4]
[10.01.2013] - Added reference [5] and [6]
[12.01.2013] - Added reference [7]
[13.01.2013] - Added reference [8]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2013-5121
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 08.01.2013
Summary
Once installing the Incapsula for Joomla component, simply make the provided DNS changes and within minutes your website traffic will be seamlessly routed through Incapsula’s globally distributed network of POPs.Description
The Joomla Incapsula component suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the 'token' GET parameter in the 'Security.php' and 'Performance.php' scripts. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.--------------------------------------------------------------------------------
/administrator/components/com_incapsula/assets/tips/en/Performance.php:
-----------------------------------------------------------------------
22: <a href="https://my.incapsula.com/billing/selectplan?token=
<?php echo $_GET['token']; ?> target="_blank" class="IFJ_link">
Click here</a> to upgrade your account
Patch:
------
22: <a href="https://my.incapsula.com/billing/selectplan?token=
<?php echo htmlentities($_GET['token']); ?>" target="_blank"
class="IFJ_link">Click here</a> to upgrade your account
--------------------------------------------------------------------------------
Vendor
Incapsula Inc. - http://www.incapsula.comAffected Version
1.4.6_b and bellowTested On
Microsoft Windows 7 Ultimate SP1 (EN)Apache 2.4.2 (Win32)
PHP 5.4.4
MySQL 5.5.25a
Vendor Status
[06.12.2012] Vulnerabilities discovered.[06.12.2012] Initial contact with the vendor.
[09.12.2012] Vendor responds asking more details.
[10.12.2012] Working with the vendor.
[20.12.2012] Vendor releases patched version 1.4.6_c.
[09.01.2013] Coordinated public security advisory released.
PoC
incapsulajoomla_xss.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.incapsula.com/incapsula-for-joomla-download/category/1-incapsula-component[2] http://packetstormsecurity.com/files/119364
[3] http://cxsecurity.com/issue/WLB-2013010070
[4] http://1337day.com/exploit/20135
[5] http://xforce.iss.net/xforce/xfdb/81090
[6] http://www.securityfocus.com/bid/57190
[7] http://secunia.com/advisories/51759
[8] http://www.osvdb.org/show/osvdb/89108
Changelog
[08.01.2013] - Initial release[09.01.2013] - Added reference [2], [3] and [4]
[10.01.2013] - Added reference [5] and [6]
[12.01.2013] - Added reference [7]
[13.01.2013] - Added reference [8]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
