I've been working on a custom Joomla component for a client at work, and needed to validate that certain aspects of the admin form. I could have recreated the wheel and written my own validation routine, but I really wanted to use Joomla's core validation behavior. What follows is how I managed to validate a form when submitted using the core Joomla toolbar buttons.
The Joomla component Joo!BB 0.9.1 suffers from multiple persistent XSS vulnerabilities in its BBCode implementation, as well as Blind SQL Injection in its search feature.
[font=Impact, Compacta, Chicago, sans-serif;color:red;]XSS[/font]
The Joomla component Agora 3.0.0 RC1 Rev.4 suffers from a Persistent XSS vulnerability. This can be exploited by uploading a malicious SWF file as an attachment then embedding it using the [swf] BBCode tag from the local server, thus bypassing any crossdomain policy.
Well, another XSS vulnerable BBCode implementation, this time on JTag Ticketing System. This is the exact same vulnerability I posted about earlier concerning WebAmoeba.
The Joomla component uddeIM is vulnerable to XSS injection in its BBCode implementation. Extra CSS parameters can be passed inside the [color] tag, and Internet Explorer versions before 8 will run scripts using the 'expression()' CSS function.
Here's a rather nasty persistent XSS vulnerability I found today in Kunena Forums. Using nested [img] tags, it is possible to inject script into the forums.
A friend of mine was installing Joomla on his 1&1 hosting account, and the FTP transfer was taking forever. I told him I could probably write a script, upload it, and run it and have Joomla ready to be installed faster than his FTP transfer would take. Sure enough, it worked. Here's how: