Joomla! JCE Component Cross-Site Scripting and Arbitrary File Upload Vulnerabilities
Description
Secunia Research has discovered two vulnerabilities in the JCE component for Joomla!, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct cross-site scripting attacks.
1) Input passed to the "search" parameter in administrator/index.php (when "option" is set to "com_jce" and "view" is set to "profiles") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) An error due to the components/com_jce/editor/extensions/browser/file.php script (when "chunk" is set to a value greater than "0") not properly verifying uploaded files can be exploited to execute arbitrary PHP code by uploading a PHP file with e.g. a ".jpg.pht" file extension.
Successful exploitation of this vulnerability requires "Author" privileges.
The vulnerabilities are confirmed in version 2.0.21. Prior versions may also be affected.
Vulnerable Products
Vulnerable Software: JCE 2.x (component for Joomla!)
