CVE-2017-7985&7986: detailed analysis of the Joomla! Two XSS vulnerabilities-vulnerability warning-the black bar safety net

Joomla! Is the world’s most popular CMS solutions. It allows users to custom build website powerful online applications. According to incomplete statistics on the Internet more than 3% of the websites running Joomla!, At the same time its share of the global more than 9% of the CMS market share.
The deadline to 2016, 11 months, Joomla! The Total Download volume of more than 7800 million times. Currently Joomla! The official also provided more than 7800 extension is included free, premium plugins and other resources available for download.
! [](/Article/UploadPic/2017-5/201756152049722. png? www. myhack58. com)
Joomla! The official plug-in the total amount of the 2017 5 on 5.
This year, as the FortiGuard security researcher, I dug up the two Joomla! The storage typeXSSvulnerabilities. Their corresponding CVE number: CVE-2017-7985 and CVE-2017-7986。 Joomla! Official with this week fixes both vulnerabilities[1][2]. Fig. These two vulnerabilities affecting Joomla! 1. 5. 0 to 3. 6. 5 version. These version affected by the vulnerability of the reason is because the program is not for a malicious user to input content to do effective filtering. A remote attacker can exploit these vulnerabilities in the user’s browser to execute arbitrary JavaScript code, The potential impact is to allow the attacker control the attacker Joomla! Accounts translator’s note: an attacker can use toXSSvulnerability to obtain the user’s cookies and then log in to your account, and can also be combined with a CSRF vulnerability directly used by an attacker to the service terminal initiates a request to perform the related operation.） If the attacker has a higher authority, such as a system administrator, a remote attacker can obtain theWeb serverfull control（translator’s note: here the author says not precise enough, should be able to use the higher permissions of the account the use of the background of the plug-in upload functions to get webshell and then get theWeb servercontrol over it.
In this article I will detailed analysis of these twoXSSvulnerabilities, but to write a secondXSSexploits code, useXSSvulnerability to obtain the CSRF token, creating a high privilege account, eventually got the webshell on.
Background description
Joomla! Have their ownXSSfilter. For example, one only has articles published permission in the articles published cannot be used when all of the HTML tags. When a user publishes a content with HTML tags in the articles, the Joomla! Will filter something like“javascript:alert()”, “background:url ()”, etc. there may be security risks of JavaScript code. Joomla! Use two ways to achieveXSSthe filtering mechanism. One is in the client using a named TinyMCE Editor on the front end for the user input of content to do the filtering. Another is on the service side, it is the first filter in the HTTP request sensitive character, and then stored in the service side for processing.
Vulnerability analysis
In order to demonstrate this vulnerability, we first create a named’yzy1’test account. The account only has Author author permissions, i.e. the permissions of the user in the When the article is published does not allow the use of all HTML tags.
This analysis of the two vulnerabilities for the service endXSSthe filtering mechanism of the bypass, and therefore client authentication is not in the scope of the study, we can use the Burp Suite to bypass the front end of the check, or the Joomla! The default editor to modify for other editors, such as: CoodeMirror or not to use the editor.
! [](/Article/UploadPic/2017-5/201756152049979. png? www. myhack58. com)
Figure 1. Change the editor has been to bypass clientXSSfilter
Below we will focus to talk about bypassing the service endXSSthe filtering mechanism of two storage-typeXSSvulnerabilities and their corresponding CVE number is: CVE-2017-7985 and CVE-2017-7986。
CVE-2017-7985
Joomla! The service endXSSthe filter will filter the presence of security risks in the code, save the safety of the characters. For example, when we use the test account posted the following:

style="background:url()"test
Joomla! Will filter this string to the style="background:url()"add the double quotes, and delete onerror=alert(1), give two URL-add a safety Link, As shown in Figure 2:
! [](/Article/UploadPic/2017-5/201756152049276. png? www. myhack58. com)
Figure 2. Joomla! XSSfilter the filtered contents of the
But an attacker can use thisXSSfilter refactor the code, rebuild the ScriptingXSS

[1] [2] [3] [4] next