Thursday, 17 September 2009 00:00

The Joomla component ccBoard 1.1-RC suffers from a Cross Site Scripting vulnerability if certain conditions are met. The forum must be set up to use the internal HTML editor and not bbCode. This is the default setting upon install.

To execute, simply post a new message. Either toggle the editor to 'off' or use the HTML Source editing button, insert your JavaScript, and submit!

<script>alert('xss');</script>

The editor was even nice enough to make my XSS injection pretty upon saving:

<script type="text/javascript">// <![CDATA[
alert('xss');
// ]]></script>
Last Updated on Wednesday, 04 November 2009 22:20
 

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions