cgTestimonial 2.2 Joomla Component Multiple Remote Vulnerabilities

 Name              cgTestimonial
 Vendor            http://www.cmsgalaxy.com
 Versions Affected 2.2

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-08-06

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION
________________________

cg_Testimonial   component   is   a  tool   for   adding
testimonial  by  the user from frontend and managing and
publishing testimonials from backend.
This  Joomla  extension  allows website user to submit a
testimonials  form  with  several  fields on one of your
site's  page  and enable  adding  testimonials by either
users or admin.


II. DESCRIPTION
_______________

Some parameters are not properly sanitised.The following
vulnerabilities can be exploited from guest users.


III. ANALYSIS
_____________

Summary:

 A) Multiple Arbitrary File Upload
 B) XSS
 

A) Multiple Arbitrary File Upload
_________________________________

The  usr_img  parameter  in cgtestimonial.php (frontend)
and in testimonial.php  (admin, without checks)  is  not
properly sanitised. A check  is executed on the content-
type HTTP field.


B) XSS
______

The url parameter in video.php is not properly sanitised
before being printed on screen.


IV. SAMPLE CODE
_______________

A) Multiple Arbitrary File Upload

http://poc.salvatorefresta.net/PoC-cgTestimonial2.2.pl.txt

B) XSS

http://site/path/components/com_cgtestimonial/video.php?url="><script>alert('xss');</script>


V. FIX
______

No fix.