Joomla! "searchword" Cross-Site Scripting Vulnerability

SECUNIA ADVISORY ID:
SA45262

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45262/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45262

RELEASE DATE:
2011-07-22
DESCRIPTION:
Aung Khant has discovered a vulnerability in Joomla!, which can be
exploited by malicious people to conduct cross-site scripting
attacks.

Input passed via the "searchword" POST parameter to index.php (when
"option" is set to "com_search" and "task" is set to "search") is not
properly sanitised in the "redirect()" function in
libraries/joomla/application/application.php before being returned to
the user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.

Successful exploitation requires that "magic_quotes_gpc" is
disabled.

This may be related to vulnerability #8 in:
SA45094

The vulnerability is confirmed in version 1.7.0. Other versions may
also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
Aung Khant

ORIGINAL ADVISORY:
http://bl0g.yehg.net/2011/07/joomla-170-rc-and-lower-multiple-cross.html