Agora 3.0.0 RC1 Rev.4 XSS Vulnerability

Posted in Joomla!
2009-07-16 17:04:45 +0000 UTC

The Joomla component Agora 3.0.0 RC1 Rev.4 suffers from a Persistent XSS vulnerability. This can be exploited by uploading a malicious SWF file as an attachment then embedding it using the [swf] BBCode tag from the local server, thus bypassing any crossdomain policy.

To exploit this, we must take advantage of the 'attachment' feature, that only seems to care about extension. As we all know, only Windows cares what a file's extension is - the binary data inside is what really determines what type of file it is. :)

So, we start by crafting a malicious Flash file. Create a new, empty file in Flash, and insert your malicious script into an ExternalInterface call in the first frame's Actions:

var js:String = ( <![CDATA[
alert( 'xss' );
]]> ).toString(); "function(){" + js + "}" );
Now, save and export the movie. Once done, rename the resulting .swf file with an allowed extension, e.g., .jpg. Now, go to the victim's Agora forum, start a new topic, and upload your payload as an attachment, then insert. You should be presented with a BBCode [url] link to your payload, housed on the same server as the forum (thus bypassing Flash's crossdomain security policies). Now, change the [url] BBCode to [swf]http:// ... path to your attached swf renamed as jpg ...[/swf], and post!