Joomla core 3.1.5 suffers from a reflected XSS vulnerability that allows to inject HTML and malicious scripts. This can be exploited by malicious people to steal cookies and other sensitive information of other legitimate users in the context of the affected website.
The affected file libraries/idna_convert/example.php has multiple injection points;
The unsanitized lang parameter in line 24:
if (isset($_REQUEST['lang'])) {
if ('de' == $_REQUEST['lang'] || 'en' == $_REQUEST['lang']) $lang = $_REQUEST['lang'];
$add .= '<input type="hidden" name="lang" value="'.$_REQUEST['lang'].'" />'."\n";
}
While lines 112 and 119 print out the unsanitized file name:
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="get">
The attacker can exploit these weaknesses to execute arbitrary HTML and script code tricking a legitimate logged-in user to visit a malicious crafted url:
http://localhost/joomla/libraries/idna_convert/example.php?lang="><script>alert(document.cookie);</script><!--
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-5583 to the vulnerability.
04/09: Vulnerability advised to the Joomla developers 05/09: Fixed deleting the example.php file 05/09: Vulnerability disclosure