--------------------------------------------------------- RatioSec Research Security Advisory RS-2016-001 --------------------------------------------------------- JSN PowerAdmin Joomla! Extension Remote Command Execution Via CSRF and XSS vulnerabilities --------------------------------------------------------- Product: JSN PowerAdmin Joomla! Extension Vendor: JoomlaShine.com Tested Versions: 2.3.0 Other Vulnerable Versions: Prior versions may also be affected Vendor Notification: 28th January, 2016 Advisory Publication: 24th February, 2016 CVE Reference: Pending RatioSec Advisory Reference: RS-2016-001 Risk Level: High CVSSv3 Base Score: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L --------------------------------------------------------- RatioSec Research has discovered two cross-site request forgery and reflected cross-site scripting vulnerabilities in JSN PowerAdmin Joomla! Extension which can be exploited, respectively, to upload PHP files and run arbitrary HTML and script code in a user's browser session in context of the affected web site. 1) The application allows users to perform certain actions via HTTP requests without performing proper checks to verify the requests validity. An authenticated user's browser can be forced to upload PHP files via the extension installer and subsequently execute arbitrary commands with the web server privileges by tricking the user into visiting a malicious web site. 2) Input passed to `identified_name` GET parameter when `package` is set, `option` is set to `com_poweradmin`, `view` is set to `installer`, and `task` is set to `installer.install` in `/administrator/index.php` is not properly sanitised before being reflected. This can be exploited to run arbitrary HTML and script code in a user's browser session in context of the affected web site. --------------------------------------------------------- Proof of Concept Read the advisory details on the RatioSec Research website for the proof of concept code. http://www.ratiosec.com/2016/jsn-poweradmin-joomla-extension-rce-via-csrf-and-xss/ ---------------------------------------------------------- Solution No official solution is currently available. ---------------------------------------------------------- Timeline - First contact: 27th January, 2016 - Disclosure: 28th January, 2016. Preliminary date set to 10th, February 2016. - E-mail notice after no response: 02nd February, 2016 - Advisory Publication: 24th February, 2016 ---------------------------------------------------------- Advisory URL http://www.ratiosec.com/2016/jsn-poweradmin-joomla-extension-rce-via-csrf-and-xss/ RatioSec Research Mail: research at ratiosec dot com Web: http://www.ratiosec.com/ Twitter: https://twitter.com/ratio_sec
