SECUNIA ADVISORY ID:
SA40926
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/40926/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=40926
RELEASE DATE:
2010-08-09
DESCRIPTION:
Salvatore Fresta has discovered some vulnerabilities in the
cgTestimonial component for Joomla!, which can be exploited by
malicious users and malicious people to compromise a vulnerable
system and by malicious people to conduct cross-site scripting
attacks.
1) Input passed to the "url" parameter in
components/com_cgtestimonial/video.php is not properly sanitised
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a users browser session in context
of an affected site.
2) An error in the components/com_cgtestimonial/cgtestimonial.php
script allows upload of files with arbitrary extensions to a folder
inside the web root. This can be exploited to execute arbitrary PHP
code by uploading a PHP file with e.g. an "image/jpg" content type.
3) An error in the
administrator/components/com_cgtestimonial/testimonial.php script
allows upload of files with arbitrary extensions to a folder inside
the web root. This can be exploited to execute arbitrary PHP code by
uploading a PHP file with e.g. an "image/jpg" content type.
Successful exploitation of this vulnerability requires "Public
Back-end" permissions.
The vulnerabilities are confirmed in version 1.0. Other versions may
also be affected.
SOLUTION:
Edit the source code to ensure that input is properly sanitised.
Restrict access to the components/com_cgtestimonial/user_images
directory (e.g. via .htaccess)
PROVIDED AND/OR DISCOVERED BY:
Salvatore Fresta aka Drosophila
ORIGINAL ADVISORY:
http://adv.salvatorefresta.net/cgTestimonial_2.2_Joomla_Component_Multiple_Remote_Vulnerabilities-06082010.txt