Bugtraqmailing list archives

By Date

By Thread

Joomla! Component com_bc Cross Script Scripting (XSS) Vulnerability

===================================================================== Joomla! Component com_bc Cross Script Scripting (XSS) Vulnerability=====================================================================1. OVERVIEWThe Joomla! Component com_bc was vulnerable to Cross Script Scripting(XSS) Vulnerability.2. PRODUCT DESCRIPTIONThe Joomla! Component com_bc is a widely-used Blastchat chat servercomponent designed for website communitiesfrom the smallest personal websites to the huge megasites who desireto provide their members and visitorswith a superb chat experience. BlastChat has currently been servingchat to over 50.000+ websites.3. VULNERABILITY DESCRIPTIONThe Joomla! Component com_bc does not properly escape parameters:-ctask, bcItemid, lang, nlang , rid, rsid, sec_code, template, andusergid.This leads to Cross Site Scripting vulnerability. For more informationabout this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 andCWE-79: Improper Neutralization of Input During Web Page Generation('Cross-site Scripting').4. VERSIONS AFFECTEDVersions Not Available (reason: Closed-source/Commercial Product)5. PROOF-OF-CONCEPT/EXPLOITVulnerable URL-1:index2.php?option=com_bc&no_html=1&task=load&ctask=enter&d=1&url=[victim_url]&intraid=[]&userid=0&usergid=0&nick=&rid=0&rsid=0&lang=english&nlang=en-GB&template=system&pub_key=[]&&sec_code=[]&time_key=2010-08-11%2003:46:00&bcItemid=&bc_ver=3.2&prod=Joomla!&rel=1.5&dev=20&detaching=1Vulnerable URL-2:index2.php?option=com_bc&no_html=1&task=client&ctask=enter&d=0c39e7&url=[victim_url&intraid=[]&userid=0&usergid=0&nick=&rid=0&rsid=0&lang=english&nlang=en-GB&template=system&pub_key=[]&sec_code=[]&time_key=2010-08-11%2018:45:20&bcItemid=&bc_ver=3.2&prod=Joomla!&rel=1.5&dev=7Affected parameters: d , no_html, ctask, bcItemid, lang, nlang , rid,rsid, sec_code, template, usergidhttp://yehg.net/lab/pr0js/advisories/joomla/com_bc_xss(rid).jpg6. IMPACTAs this is a multi-user chat application "component", the impact ofXSS is huge, ranking from cookie theft to mass client exploits.7. SOLUTIONReported vulnerabiltiy was fixed at 08-15-2010. It is now supposed to be safe.It is suggested that any web sites that use this component ask thevendor for the updated version.8. VENDORBlastchathttp://www.blastchat.com9. CREDITThis vulnerability was discovered by Aung Khant,http://yehg.net, YGNEthical Hacker Group, Myanmar.10. DISCLOSURE TIME-LINE08-11-2010: discovered vulnerability08-11-2010: notified vendor08-15-2010: vendor fixed vulnerability08-26-2010: vulnerability disclosed11. REFERENCESOriginal Advisory URL:http://yehg.net/lab/pr0js/advisories/joomla/[com_bc]_cross_site_scriptingWhat XSS Can Do:http://yehg.net/lab/pr0js/view.php/What%20XSS%20Can%20Do.pdfXSS FAQs:http://www.cgisecurity.com/articles/xss-faq.shtmlXSS (wiki):http://en.wikipedia.org/wiki/Cross-site_scriptingXSS (owasp):http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)OWASP Top 10:http://www.owasp.org/index.php/Category:OWASP_Top_Ten_ProjectCWE-79:http://cwe.mitre.org/data/definitions/79.html#yehg [08-26-2010]---------------------------------Best regards,YGN Ethical Hacker GroupYangon, Myanmarhttp://yehg.netOur Lab |http://yehg.net/labOur Directory |http://yehg.net/hwd

By Date

By Thread

Current thread:

• Joomla! Component com_bc Cross Script Scripting (XSS) VulnerabilityYGN Ethical Hacker Group (Aug 26)