Joomla! JCE Component Cross-Site Scripting and Arbitrary File Upload Vulnerabilities

SECUNIA ADVISORY ID:
SA49206

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/49206/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=49206

RELEASE DATE:
2012-05-16
DESCRIPTION:
Secunia Research has discovered two vulnerabilities in the JCE
component for Joomla!, which can be exploited by malicious users to
compromise a vulnerable system and by malicious people to conduct
cross-site scripting attacks.

1) Input passed to the "search" parameter in administrator/index.php
(when "option" is set to "com_jce" and "view" is set to "profiles")
is not properly sanitised before being returned to the user. This can
be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.

2) An error due to the
components/com_jce/editor/extensions/browser/file.php script (when
"chunk" is set to a value greater than "0") not properly verifying
uploaded files can be exploited to execute arbitrary PHP code by
uploading a PHP file with e.g. a ".jpg.pht" file extension.

Successful exploitation of this vulnerability requires "Author"
privileges.

The vulnerabilities are confirmed in version 2.0.21. Prior versions
may also be affected.

SOLUTION:
Update to version 2.1.0.

PROVIDED AND/OR DISCOVERED BY:
Jon Butler, Secunia.

ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2012-14/
http://secunia.com/secunia_research/2012-15/

JCE:
http://www.joomlacontenteditor.net/news/item/jce-21-released?category_id=32