My Joomla XSS 0days

Last October 2013 I found some XSS vulnerabilities in Joomla! 3.1.2. Anyhow the affected versions were Joomla! version 2.5.14 and earlier 2.5.x versions and version 3.1.5 and earlier 3.0.x
versions. Actually all these XSS vulnerabilities existed on fields where we can insert links starting with http://. I first did a simple fuzz to test the output.

<foo> </bar> '" > <> ; () //

What I noticed was that it does filter out tags but still we can take advantage of these non-filtered characters. Of course we can use event handlers in JavaScript to trigger XSS.

‘; ()//"

fuzz

Persistent XSS in com_contact

To reproduce this issue follow these steps.

  • Click components -> Contacts-> Contacts. This is the URL: http://localhost/Joomla_3.1.5/administrator/index.php?option=com_contact
  • Edit an existing contact or create a new contact.
  • If you created a new contact Give a proper name and click on contact details.
  • Inject this payload http://"onmouseover=alert(document.documentURI);" and click on Save.
  • Move your mouse over the website field and you should get an alert box with the URI.

The website field is not properly sanitized and therefore it leads to a persistent XSS vulnerability. This can be used for attacking other users in the admin panel.

com_contact_self

Infecting all viewers of the Website

That XSS is persistent and can be harmed only to the users inside the admin panel. To leverage this attack, why not make a new Contact page with our payload? 🙂

  • Go to Menu -> Main Menu -> Add New Menu Item -> New
  • Click on the Select button -> Contacts -> Single Contact.
  • The page will reload with a new field named Select Contact. Click Select and click on the newly created contact with our payload stored.
  • Give a Menu Title and save it.

Now if you navigate to your index page a new menu item should have appeared with the name you have given. Click on it and payload should be executed. In my case I have given an event handler move the mouse over the URL and the payload should be executed.

com_contact_all

xss_all

If you like to view the payload in the back end database it is stored in the contact_details table. In my database the query would be:

select id, name, webpage from alias_contact_details where id=2;

com_contact_sqli

POC Video

Persistent XSS in com_newsfeeds

To reproduce this XSS follow the steps.

Move your mouse over the Link field and you should get an alert box with the URI.

newsfeed_xss

The payload is stored in the newsfeeds table in the database. In my configuration to retrieve it the query would be:

select id, name, link from alias_newsfeeds where id=1;

newsfeed_query

POC Video

Bonus FPD

If you try to create a new Menu item for Newsfeeds like we did before for the Contacts you would get a PHP syntax error revealing the full path. The reason is because this component tries to retrieve the feeds by our given malformed URL. As it is not a valid URL it will return an error.

  • Go to Menu -> Main Menu -> Add New Menu Item -> New
  • Click on the Select button -> Newsfeeds -> Single Newsfeed.
  • The page will reload with a new field named Select Feed. Click Select and click on the newly created Newsfeed with our payload stored.
  • Give a Menu Title and save it.

Once you go to the index page and click on the created menu item you should see the full path disclosure.

fpd

Persistent XSS in com_weblinks

Move your mouse over the URL field and you should get an alert box with the URI.

weblinks_xss

The XSS is stored in the weblinks table in the database. In my database the query would be

select id, title, url from alias_weblinks where id=1;

weblinks_sql

POC Video

POST XSS in com_contact

Com_contact also suffers from a POST XSS vulnerability. This can’t be remotely exploited because Joomla uses a CSRF token in the form.  The E-Mail field is not sanitized hence accepts any kind of input. You can basically inject HTML and JS.

For example if we inject "><svg/onload="alert('XSS by Osanda');" in the E-Mail field and this will return an alert box.

POSTXSS1

I also noticed that even if we reload the page or open the URL in a new tab the payload is executed. Our payload lies in the source code as follows.

POST source

POC


<html>
  <!-- POST XSS in com_contact POC by @OsandaMalith -->
  <body>
    <form name="exploit" action="http://localhost/Joomla_3.1.5/index.php/contact" method="POST">
      <input type="hidden" name="jform[contact_name]" value="test" />
      <input type="hidden" name="jform[contact_email]" value="&quot;&gt;&lt;svg/onload=&quot;alert(&apos;XSS by Osanda&apos;);&quot;" />
      <input type="hidden" name="jform[contact_subject]" value="test" />
      <input type="hidden" name="jform[contact_message]" value="test" />
      <input type="hidden" name="option" value="com_contact" />
      <input type="hidden" name="task" value="contact.submit" />
      <input type="hidden" name="return" value="" />
      <input type="hidden" name="id" value="1:test" />
      <input type="hidden" name="2b974e233b1ab7a34b82d352f3030e0a" value="1" />
      <script>document.exploit.submit(); </script>
	</form>
  </body>
</html>

Joomla.org was also affected by this issue.

joomla

POC Video

Impact

Actually all these bugs are less critical but in a scenario where the website is hosted in a shared server an attacker gains access to website A which is a normal vulnerable website. After that via symlinking or gaining root he can break down into the admin panel of the website B which is a Joomla website as he can get the config file. So he can take advantage of these XSS vulnerabilities to compromise the staff users including the Admin and the common visitors.

Report Timeline and Advisories

Joomla Advisories
[1] http://developer.joomla.org/security/news/570-20131101-core-xss-vulnerability
[2] http://developer.joomla.org/security/news/571-20131102-core-xss-vulnerability
[3] http://developer.joomla.org/security/news/572-20131103-core-xss-vulnerability

Secunia Advisory
[1] http://secunia.com/advisories/55573/

All these issues are fixed in Joomla 3.2.0 stable and Joomla 2.5.15
[1] http://www.joomla.org/announcements/release-news/5516-joomla-3-2-0-stable-released.html
[2] http://www.joomla.org/announcements/release-news/5517-joomla-2-5-15-released.html

After a responsible disclosure done to Joomla These issues were resolved. Special thanks to Elin Waring from the Joomla Strike Team and Dulsara Premalal for supporting me with the emails for reporting.

Advertisements

2 thoughts on “My Joomla XSS 0days

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s