Kunena 7.0.4 Released

The Kunena team has announce the arrival of Kunena 7.0.4 [K 7.0.4] in stable which is now available for download as a native Joomla extension for J! 5.4.x/6.0.x. This version addresses most of the issues that were discovered in K 6.2 / K 6.3 / K 6.4 and issues discovered during the last development stages of K 7.0

Topics contains old discussions (generally more than one year ago or based on circumstances that subsequently changed) or topics resolved in other ways. Topics moved into this category are closed from further discussion.

Question Persistent XSS

jeffchannell
Topic Author
Offline
New Member

16 years 9 months ago #22636 by jeffchannell

Persistent XSS was created by jeffchannell

Kunena Forums is vulnerable to persistent XSS in its BBCode implementation.

jeffchannell.com/Joomla/kunena-forums-pe...s-vulnerability.html

Demo: [img]http://foo.com/fake.png [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img]

Please Log in or Create an account to join the conversation.

@quila
Offline
Elite Member

16 years 9 months ago #22778 by @quila

Replied by @quila on topic Re:Persistent XSS

Hi jeff,

reported to DEVs. Thank you.

Regards

Please Log in or Create an account to join the conversation.

Matias
Offline
Administrator

16 years 9 months ago - 16 years 9 months ago #22803 by Matias

Replied by Matias on topic Re:Persistent XSS

Quick fix:

Replace this file: components/com_kunena/lib/kunena.parser.php

Kunena 1.5.3 version:

joomlacode.org/gf/project/kunena/scmsvn/...ser.php&revision=910

Kunena 1.0.10 version:

joomlacode.org/gf/project/kunena/scmsvn/...ser.php&revision=911

Or do it by yourself:

components/com_kunena/lib/kunena.parser.php:
Replace lines 321-382 in Kunena 1.0.10
Replace lines 319-380 in Kunena 1.5.3

with this (click on icon):

Warning: Spoiler!

Code:

case 'email':
                $tempstr = kunena_htmlspecialchars($between, ENT_QUOTES);
                if(substr($tempstr, 0, 7)=='mailto:') {
                  $between = substr($tempstr, 7);
                }
                else {
                  $tempstr = 'mailto:'.$tempstr;
                }
                $tag_new = "<a href='".$tempstr."'>".$between.'</a>';
                return TAGPARSER_RET_REPLACED;
                break;
            case 'url':
                $tempstr = kunena_htmlspecialchars($between, ENT_QUOTES);
                if(substr($tempstr, 0, 7)!='http://') {
                  $tempstr = 'http://'.$tempstr;
                }
                $tag_new = "<a href='".$tempstr."' rel=\"nofollow\" target=\"_blank\">".$between.'</a>';
                return TAGPARSER_RET_REPLACED;
                break;
            case 'img':
                if($between) {
                	$tempstr = kunena_htmlspecialchars($between, ENT_QUOTES);
                    $task->autolink_disable--; # continue autolink conversion
                    // Make sure we add image size if specified and while we are
                    // at it also set maximum image width from text width config.
                    //
                    // NOTICE: image max variables from config are not intended
                    // for formating but to limit the size of uploads, which can
                    // be larger than the available post area to support super-
                    // sized popups.
                    $imgmaxsize = (int)(($fbConfig->rtewidth * 9) / 10); // 90% of text width
                    $imgtagsize = isset($tag->options["size"]) ? (int)kunena_htmlspecialchars($tag->options["size"]) : 0;

                    if($imgtagsize>0 && $imgtagsize<$imgmaxsize)
                    {
                    	$imgmaxsize = $imgtagsize;
                    }

                    // Need to check if we are nested inside a URL code
					if($task->autolink_disable == 0)
					{
						$tag_new = "<a href='".$tempstr."' rel=\"lightbox\"><img src='".$tempstr.($imgtagsize ?"' width='".$imgmaxsize:'')."' style='max-width:".$imgmaxsize."px; ' alt='' /></a>";
					}
					else
					{
						$tag_new = "<img src='".$tempstr.($imgtagsize ?"' width='".$imgmaxsize:'')."' style='max-width:".$imgmaxsize."px; ' alt='' />";
					}


                    return TAGPARSER_RET_REPLACED;
                }
                return TAGPARSER_RET_NOTHING;
                break;
            case 'file':
                if($between) {
                	$tempstr = kunena_htmlspecialchars($between, ENT_QUOTES);
                	$task->autolink_disable--; # continue autolink conversion
                    $tag_new = "<div class=\"fb_file_attachment\"><span class=\"contentheading\">"._KUNENA_FILEATTACH."</span><br>"._KUNENA_FILENAME
                    ."<a href='".$tempstr."' target=\"_blank\" rel=\"nofollow\">".(($tag->options["name"])?kunena_htmlspecialchars($tag->options["name"]):$tempstr)."</a><br>"._KUNENA_FILESIZE.kunena_htmlspecialchars($tag->options["size"], ENT_QUOTES)."</div>";
                    return TAGPARSER_RET_REPLACED;
                }
                return TAGPARSER_RET_NOTHING;

                break;

New versions will be released soon.

Next time, please contact developers (and give them ~2 weeks time) before publishing the vulnerabilities.

Last edit: 16 years 9 months ago by Matias.

Please Log in or Create an account to join the conversation.

jeffchannell
Topic Author
Offline
New Member

16 years 9 months ago #22944 by jeffchannell

Replied by jeffchannell on topic Re:Persistent XSS

Code:

                if(substr($tempstr, 0, 7)!='http://') {
                  $tempstr = 'http://'.$tempstr;
                }

Maybe preg_match would be a better solution, so you could test for /https?\ $:\$ /{2}/ ?

Please Log in or Create an account to join the conversation.

Matias
Offline
Administrator

16 years 9 months ago #22952 by Matias

Replied by Matias on topic Re:Persistent XSS

I didn't change the logic of the function, just fixed the vulnerability.

But you're right, will add that to my todo list.

Please Log in or Create an account to join the conversation.

Time to create page: 0.256 seconds