Sunday, 15 November 2009 00:00

The Joomla component Ninjaboard 0.5.0beta suffers from multiple persistent XSS vulnerabilities in its BBCode implementation, as well as a minor CSRF vulnerability and a minor Path Disclosure vulnerability.

  1. XSS 1: Nested [img] Tags

    [img] [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img]
  2. XSS 2: JavaScript links


    Requires minimal user interaction

  3. XSS 3: CSS Injection

  4. XSS 4: Nested [url] Tags

    Requires minimal user interaction, displays indications of malware, but still technically exploitable.

    [url][url] onmousemove=javascript:alert(String.fromCharCode(88,83,83));//[/url][/url]
  5. CSRF: [img] Tags

  6. Path Disclosure: Profile View 'id' parameter

    Passing non-numeric values for the 'id' parameter of the profile page results in a Fatal Error, which reveals the full path to components/com_ninjaboard/models/profile.php.


These issues are fixed in the latest release, and users are urged to upgrade.


  • Vulnerabilities Discovered: 14 July 2009
  • Vendor Notified: 16 July 2009
  • Vendor Response: 16 July 2009
  • Update Available: 2009
  • Disclosure: 15 November... 2009
Last Updated on Thursday, 30 September 2010 17:37

Add your comment

Your name:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Joomla Extensions