I have two outstanding security issues with my site which I believe lie with JoomSEF.

Issue Number 1 - URL manipulation

Loading a URL with a single quote at the end gives an unhandled error and appears to show some JoomSEF SQL. For example: staging-www.mdbcloud.co.uk/getting-started'

Issue Number 2 - Arbitrary URL XSS

Go to one of our URLs:
staging-www.mdbcloud.co.uk/blog/entry/will-hs2-change-your-life

Use a web proxy tool like "Burp" to capture the request. Use this to change the value of the URL from:

GET /blog/entry/will-hs2-change-your-life HTTP/1.1

to

GET /blog/entry/will-hs2-change-your-life<script>alert('123');</script> HTTP/1.1

Then forward this (and all other requests) and an error page will be shown, and the script will execute in the user's browser.

Hi,

Thank you for your report, we'll check and fix these problems as soon as possible.
Could you please post the version of JoomSEF you use? Thank you.

Version 4.5.1

Hi,

We've just tested the reported issues on Joomla 2.5.20 and 3.3.0.

We've confirmed that the first issue is a bug in JoomSEF and will be fixed in next version.

However the second issue is present directly in Joomla 2.5.20 even without JoomSEF, so you should report this problem to Joomla team and they should fix it in Joomla's core (the problem is present if some component displays the URL obtained from JUri::getInstance()). We couldn't confirm the problem on Joomla 3.3.0 - the URL displayed in website's source code is escaped correctly.