FOREGROUND SECURITY, SECURITY ADVISORY 2013-001
– Original release date: July 10, 2013
– Discovered by: Adam Willard (Software Security Analyst at Foreground Security)
– Verified by: Jose Carlos de Arriba (Pentest Team Manager at Foreground Security)
– Contact: (awillard (at) foregroundsecurity (dot) com)
– Severity: 4.3/10 (Base CVSS Score)
Algis Info aiContactSafe Extension 2.0.19 (latest) Cross-Site Scripting (XSS) vulnerability – (prior versions have not been checked but could be vulnerable too).
Algis Info aiContactSafe is a native Joomla component developed by Algis Info.
You can use it to place a complex contact form on your web page.
Here are some of the facilities that it can offer:
– custom fields
– custom text related to the contact informations
– multilingual support ( through Joomfish )
– SEFthrough Artio JoomSEF or sh404SEF
Algis Info aicontactsafe 2.0.19 (latest) Extension presents a Cross-Site Scripting (XSS) vulnerability in the “url” due to an insufficient input/output sanitization.
A malicious user could perform session hijacking or phishing attacks.
IV. PROOF OF CONCEPT
(This section has been removed per vendor request).
V. BUSINESS IMPACT
An attacker could perform session hijacking or phishing attacks.
VI. SYSTEMS AFFECTED
Joomla Extension, AlgisInfo com_aicontactsafe_2_0_19_stable Extension (prior versions have not been checked but could be vulnerable too).
Fixed on 2.0.21.stable version release.
This vulnerability has been discovered by Adam Willard (awillard (at) foregroundsecurity (dot) com), verification and release coordination by Jose Carlos de Arriba (jcarriba (at) foregroundsecurity (dot) com).
X. REVISION HISTORY
– July 10, 2013: Initial release.
XI. DISCLOSURE TIMELINE
April 2, 2013: Vulnerability discovered by Adam Willard.
April 3, 2013: Vulnerability verified by Jose Carlos de Arriba.
April 15: AlgisInfo aiContactSafe Author contacted by email.
April 15: Response from author and security advisory sent to him.
April 16: Vulnerability fixed on 2.0.21.stable version release
July 10: Security advisory released
XII. LEGAL NOTICES
The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise.