Joomla BCAccount Cross Site Scripting

`=======================================================================================  
Joomla! Component com_bcaccount Persistent Cross Script Scripting  
(XSS) Vulnerability  
=======================================================================================  
  
  
1. OVERVIEW  
  
The Joomla! Component com_bcaccount was vulnerable to Persistent Cross  
Script Scripting (XSS) Vulnerability.  
  
  
2. PRODUCT DESCRIPTION  
  
The Joomla! Component com_bcaccount is a chat user account management  
component of widely-used  
Blastchat chat client component (com_blastchatc) designed for website  
communities from the smallest personal websites  
to the huge megasites who desire to provide their members and visitors  
with a superb chat experience.  
BlastChat has currently been serving chat to over 50.000+ websites.  
  
  
3. VULNERABILITY DESCRIPTION  
  
The Joomla! Component com_bcaccount does not properly escape user  
profile information when it is saved.  
Attackers can craft CSRF payloads to save persistent XSS in users'  
profiles, which can turn into massive XSS worms cloning.  
For more information about this kind of vulnerability, see OWASP Top  
10 - A2, WASC-8 and  
CWE-79: Improper Neutralization of Input During Web Page Generation  
('Cross-site Scripting').  
  
  
4. VERSIONS AFFECTED  
  
Versions Not Available (reason: Closed-source/Commercial Product)  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
WebSite Manager URL:  
https://www.blastchat.com/index.php?option=com_bcaccount&bctask=wmanager&Itemid=24  
Affected Parameters: name, url_chat, autonick, theme  
  
  
Room Create URL:  
https://www.blastchat.com/index.php?cid=[valid_id]&id=[valid_id]&option=com_bcaccount&task=rmanager&bctask=rmanager&Itemid=24  
Affected Parameters: name, topic  
  
  
6. IMPACT  
  
As this is a multi-user chat application "component", the impact of  
XSS is huge, ranking from cookie theft to mass client exploits and  
XSS worming.  
  
  
7. SOLUTION  
  
Reported vulnerability was fixed at 08-15-2010. It is now supposed to be safe.  
It is suggested that any web sites that use this component ask the  
vendor for the updated version.  
  
  
8. VENDOR  
  
Blastchat  
http://www.blastchat.com  
  
  
9. CREDIT  
  
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN  
Ethical Hacker Group, Myanmar.  
  
  
10. DISCLOSURE TIME-LINE  
  
08-11-2010: discovered vulnerability  
08-11-2010: notified vendor  
08-15-2010: vendor fixed vulnerability  
08-26-2010: vulnerability disclosed  
  
  
11. REFERENCES  
  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/joomla/[com_bcaccount]_persistent_cross_site_scripting  
What XSS Can Do: http://yehg.net/lab/pr0js/view.php/What%20XSS%20Can%20Do.pdf  
XSS FAQs: http://www.cgisecurity.com/articles/xss-faq.shtml  
XSS (wiki): http://en.wikipedia.org/wiki/Cross-site_scripting  
XSS (owasp): http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)  
XSS Worm: http://en.wikipedia.org/wiki/XSS_Worm  
OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project  
CWE-79: http://cwe.mitre.org/data/definitions/79.html  
  
#yehg [08-26-2010]  
  
---------------------------------  
Best regards,  
YGN Ethical Hacker Group  
Yangon, Myanmar  
http://yehg.net  
Our Lab | http://yehg.net/lab  
Our Directory | http://yehg.net/hwd  
  
`