Discovered by: Demis Palma - Fox Labs
Reported date: 04 January 2017
Versions affected: 5.0.2 through 5.0.4
CVE Number: Under assignment
Kunena forum cross-site scripting (XSS).
The vulnerability was responsibly disclosed to the Kunena developers, and the publication of this document has been postponed at a later date to allow the Kunena developers to release a fix and the users to apply the patch.
"Kunena is the leading Joomla forum component. Downloaded more than 7M times in 8 years."
INTRODUCTION AND BUSINESS IMPACT
An independent research uncovered a cross-site scripting vulnerability in Kunena that could potentially be used by remote attackers to inject persistent client-side scripts or HTML code, into web pages and remotely steal other users' authorization cookies and obtain sensitive information.
In the six files listed below, the "topic subject" variable is not properly filtered:
components/com_kunena/template/crypsis/layouts/message/item/default.php components/com_kunena/template/crypsis/layouts/message/item/top/default.php components/com_kunena/template/crypsis/layouts/message/item/bottom/default.php components/com_kunena/template/crypsisb3/layouts/message/item/default.php components/com_kunena/template/crypsisb3/layouts/message/item/top/default.php components/com_kunena/template/crypsisb3/layouts/message/item/bottom/default.php
... KunenaForumMessage::getInstance()->getsubstr($message->subject, 0, $subjectlengthmessage) ...
PROOF OF CONCEPT EXPLOIT
Just put the malicious code in the topic subject.
As the forum moderators could receive notifications on new topics, we expect that smart attackers to create reasonable topics, and editing them afterwards to go unnoticed.
The first part closes the current HTML attribute and tag:
Those who visit the topic, run the XSS vector. Note that just viewing the list of available topics is not enough, the victim has to browse the malicious topic.
Update to Kunena 5.0.5 as soon as it will be available.
This advisory (CVE Number: Under assignment): http://www.fox.ra.it/technical-articles/kunena-vulnerability-2017-01.html
The vulnerability has been discovered by Demis Palma - Fox Labs