Thursday, 16 July 2009 12:04

The Joomla component Agora 3.0.0 RC1 Rev.4 suffers from a Persistent XSS vulnerability. This can be exploited by uploading a malicious SWF file as an attachment then embedding it using the [swf] BBCode tag from the local server, thus bypassing any crossdomain policy.

To exploit this, we must take advantage of the 'attachment' feature, that only seems to care about extension. As we all know, only Windows cares what a file's extension is - the binary data inside is what really determines what type of file it is. :)

So, we start by crafting a malicious Flash file. Create a new, empty file in Flash, and insert your malicious script into an ExternalInterface call in the first frame's Actions:

var js:String = ( <![CDATA[
alert( 'xss' );
]]> ).toString();
ExternalInterface.call( "function(){" + js + "}" );
Now, save and export the movie. Once done, rename the resulting .swf file with an allowed extension, e.g., .jpg. Now, go to the victim's Agora forum, start a new topic, and upload your payload as an attachment, then insert. You should be presented with a BBCode [url] link to your payload, housed on the same server as the forum (thus bypassing Flash's crossdomain security policies). Now, change the [url] BBCode to [swf]http:// ... path to your attached swf renamed as jpg ...[/swf], and post!

Timeline

  • Vulnerabilities Discovered: 16 July 2009
  • Vendor Notified: 16 July 2009
  • Vendor Response: 17 July 2009
  • Update Available: 17 July 2009
  • Disclosure: 17 July 2009
Last Updated on Thursday, 30 September 2010 17:41
 

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions