Jump to content
Kwelwild

Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability

Recommended Posts

Posted

Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability

-------------------------------------------------------------------
Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability
-------------------------------------------------------------------


[-] Software Link:

http://www.joomla.org/


[-] Affected Versions:

Version 3.0.2 and earlier 3.0.x versions.
Version 2.5.8 and earlier 2.5.x versions.


[-] Vulnerability Description:

The vulnerable code is located in /plugins/system/highlight/highlight.php:

56. // Get the terms to highlight from the request.
57. $terms = $input->request->get('highlight', null, 'base64');
58. $terms = $terms ? unserialize(base64_decode($terms)) : null;

User input passed through the "highlight" parameter is not properly sanitized before being used in
an unserialize() call at line 58. This can be exploited to inject arbitrary PHP objects into the
application scope. Successful exploitation of this vulnerability doesn't require authentication,
but requires the "System Highlight" plugin to be enabled (such as by default configuration).


[-] Solution:

Upgrade to version 3.0.3 or 2.5.9.


[-] Disclosure Timeline:

[31/10/2012] - Vendor notified
[08/11/2012] - Vendor asked for a proof of concept
[08/11/2012] - Proof of concept provided to the vendor
[04/02/2013] - Vendor update released
[27/02/2013] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1453 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2013-03

Surs?: Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...