← Advisories

Joomla Incapsula Component <= 1.4.6_b Reflected Cross-Site Scripting Vulnerability

Medium

Advisory ID

ZSL-2013-5121

Release Date

08 January 2013

Vendor

Incapsula Inc. - http://www.incapsula.com

Affected Version

1.4.6_b and bellow

CVE

N/A

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.4, MySQL 5.5.25a

Summary

Once installing the Incapsula for Joomla component, simply make the provided DNS changes and within minutes your website traffic will be seamlessly routed through Incapsula’s globally distributed network of POPs.

Description

The Joomla Incapsula component suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the 'token' GET parameter in the 'Security.php' and 'Performance.php' scripts. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

/administrator/components/com_incapsula/assets/tips/en/Performance.php:
-----------------------------------------------------------------------

22: <a href="https://my.incapsula.com/billing/selectplan?token=
    <?php echo $_GET['token']; ?> target="_blank" class="IFJ_link">
    Click here</a> to upgrade your account

Patch:
------

22: <a href="https://my.incapsula.com/billing/selectplan?token=
    <?php echo htmlentities($_GET['token']); ?>" target="_blank"
    class="IFJ_link">Click here</a> to upgrade your account

Proof of Concept

incapsulajoomla_xss.txtTXT

Disclosure Timeline

06.12.2012Vulnerabilities discovered.

06.12.2012Initial contact with the vendor.

09.12.2012Vendor responds asking more details.

10.12.2012Working with the vendor.

20.12.2012Vendor releases patched version 1.4.6_c.

09.01.2013Coordinated public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References