Joomla! 1.5 and 1.6 rely on the JFilterInput class to sanitize user-supplied html. This class attempts to parse any given string for html code, checks the code against a whitelist of elements and attributes, and strips out any code that is not allowed. However, malformed html code can be used to bypass the filter and inject XSS code into user-supplied input.
The following string bypasses JFilterInput's "safe" attributes in both 1.5 and 1.6:
<img src="<img src=x"/onerror=alert(1)//">
Users of 1.6 can test this by enabling the "Profile" user plugin and injecting this string into the "About Me" textarea. Joomla! 1.5 has no known core extensions that allow guests or regular users to post html, however any 3rd party extension that relies on this class to sanitize input will be vulnerable.
- Vulnerabilities Discovered: 15 January 2011
- Vendor Notified: 15 January 2011
- Vendor Response: 17 January 2011
- Update Available: ...
- Disclosure: 1 February 2011
Since posting this, I've decided to go ahead and publish the email exchange... in all it's brevity. Some headers removed.
It was well over 7 days, so I guess I'm a jackass for assuming the ticket was closed?
The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.