Kunena Forums Persistent XSS Vulnerability

Posted in Joomla!
2009-07-06 20:06:24 +0000 UTC

Here's a rather nasty persistent XSS vulnerability I found today in Kunena Forums. Using nested [img] tags, it is possible to inject script into the forums.

Here are some important highlights about this vulnerability:

Without further ado, here's the (rather short) code:

[img] [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img]

UPDATE: This XSS works in the signature field as well as the post message.

UPDATE 2: Nested [url] tags are similarly vulnerable, but require user interaction to execute as well as an ending double slash in the XSS to prevent the js engine from interpreting a hanging quote.

[url][url] onmousemove=javascript:alert(String.fromCharCode(88,83,83));//[/url][/url]

UPDATE 3: Kunena is a Joomla 1.5 implementation of Fireboard. As it turns out, Fireboard is also vulnerable to this attack vector.