Discovered by: Demis Palma - Fox Labs
Reported date: 04 January 2017
Versions affected: 5.0.2 through 5.0.4
Severity: High
CVE Number: Under assignment

VULNERABILITY

Kunena forum cross-site scripting (XSS).
The vulnerability was responsibly disclosed to the Kunena developers, and the publication of this document has been postponed at a later date to allow the Kunena developers to release a fix and the users to apply the patch.

BACKGROUND

"Kunena is the leading Joomla forum component. Downloaded more than 7M times in 8 years."
https://extensions.joomla.org/extension/kunena

INTRODUCTION AND BUSINESS IMPACT

An independent research uncovered a cross-site scripting vulnerability in Kunena that could potentially be used by remote attackers to inject persistent client-side scripts or HTML code, into web pages and remotely steal other users' authorization cookies and obtain sensitive information.

DESCRIPTION

In the six files listed below, the "topic subject" variable is not properly filtered:

components/com_kunena/template/crypsis/layouts/message/item/default.php
components/com_kunena/template/crypsis/layouts/message/item/top/default.php
components/com_kunena/template/crypsis/layouts/message/item/bottom/default.php
components/com_kunena/template/crypsisb3/layouts/message/item/default.php
components/com_kunena/template/crypsisb3/layouts/message/item/top/default.php
components/com_kunena/template/crypsisb3/layouts/message/item/bottom/default.php

... KunenaForumMessage::getInstance()->getsubstr($message->subject, 0, $subjectlengthmessage) ...

PROOF OF CONCEPT EXPLOIT

Just put the malicious code in the topic subject.
As the forum moderators could receive notifications on new topics, we expect that smart attackers to create reasonable topics, and editing them afterwards to go unnoticed.
"> <script>alert("XSS")</script>

The first part closes the current HTML attribute and tag:
">
then the malicious JavaScript or HTML code follows.

Those who visit the topic, run the XSS vector. Note that just viewing the list of available topics is not enough, the victim has to browse the malicious topic.

SOLUTION

Update to Kunena 5.0.5 as soon as it will be available.

REFERENCES

This advisory (CVE Number: Under assignment): http://www.fox.ra.it/technical-articles/kunena-vulnerability-2017-01.html

CREDITS

The vulnerability has been discovered by Demis Palma - Fox Labs