CVE-2012-2413

[Rikk]

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2413
http://www.waraxe.us/advisory-87.html

Hello,
I don't know why this vulnerability is not fixed in this repo. I could not find a public fix for this, so I came with this possibility.
If this repo had "Issues" enabled, it would be possible to gather feedback prior to making a PR, but this is not the case...

[Joey3000]

Thanks for reporting this!

I would suggest the following solution instead, to be safe against context issues (see https://phpsecurity.readthedocs.org/en/latest/Cross-Site-Scripting-%28XSS%29.html#cross-site-scripting-and-injecting-context), in case they are possible: In

Joomla1.5.999/templates/ja_purity/html/modules.php

Line 55 in bee8464

if(isset($_COOKIE['Mod'.$module->id])) $modhide = $_COOKIE['Mod'.$module->id];

, do:

< if(isset($_COOKIE['Mod'.$module->id])) $modhide = $_COOKIE['Mod'.$module->id];
---
> if(isset($_COOKIE['Mod'.$module->id]) && ($_COOKIE['Mod'.$module->id] === 'hide')) $modhide = 'hide';

That should be safer. It is possible, because there are only two possible values: show and hide - see

Joomla1.5.999/templates/ja_purity/css/template.css

Lines 1502 to 1511 in bee8464

	/*collapsible h3*/
	h3.show {
	background: url(../images/arrow2.png) no-repeat 90% 60%;
	cursor: pointer;
	}
	h3.hide {
	background: url(../images/arrow3.png) no-repeat 90% 60%;
	cursor: pointer;
	}

.

This can be tested, e.g., with the Poll Module - it shows/hides when clicked on its header.

On a side note, there doesn't seem to be a reason to have used a cookie for this in the first place, as the cookie value seems to be ignored on a page load - the module starts with the default show, even if the browser cookie is at hide. Or maybe it's a bug.

[Rikk]

Thanks for investigating how this works and for pointing out that nice doc about XSS.
I've added a new commit following your suggestion.