{"id":7543,"date":"2017-05-04T16:40:26","date_gmt":"2017-05-05T00:40:26","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/04\/news-1328\/"},"modified":"2017-05-04T16:40:26","modified_gmt":"2017-05-05T00:40:26","slug":"news-1328","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/05\/04\/news-1328\/","title":{"rendered":"Multiple Joomla! Core XSS Vulnerabilities Are Discovered"},"content":{"rendered":"<p><strong>Credit to Author: Zhouyuan Yang| Date: Thu, 04 May 2017 17:05:00 -0700<\/strong><\/p>\n<div class=\"entry\">\n<style type=\"text\/css\">.entry img {        display: inline;        margin: 0px;      }  <\/style>\n<p>Joomla! is one of the world&#39;s most popular content management system (CMS) solutions. It enables users to build custom Web sites and powerful online applications. More than 3 percent of Web sites are running Joomla!, and it accounts for more than 9 percent of CMS market share.<\/p>\n<p>As of November 2016, Joomla! had been downloaded over 78 million times. Over 7,800 free and commercial extensions are also currently available from the official Joomla! Extension Directory, and more are available from other sources.<\/p>\n<p>This year, as a FortiGuard researcher I discovered and reported two Cross-Site Scripting (XSS) vulnerabilities in Joomla!. They are identified as <a href=\"http:\/\/fortiguard.com\/zeroday\/FG-VD-17-026\">CVE-2017-7985<\/a> and <a href=\"http:\/\/fortiguard.com\/zeroday\/FG-VD-17-016\">CVE-2017-7986<\/a>. Joomla! patched them [<a href=\"https:\/\/developer.joomla.org\/security-centre\/685-core-xss-vulnerability.html\">1<\/a>] [<a href=\"https:\/\/developer.joomla.org\/security-centre\/686-core-xss-vulnerability.html\">2<\/a>] this week. These vulnerabilities affect Joomla! versions 1.5.0 through 3.6.5. They exist because these versions of Joomla! fail to sanitize malicious user input when users post or edit an article. Remote attacker could exploit them to run malicious code in victims&rsquo; browser, potentially allowing the attacker to gain control of the victim&rsquo;s Joomla! account. If the victim has higher permission, like system administrator, the remote attacker could gain full control of the web server.<\/p>\n<p>In this blog, I will share the details of these vulnerabilities.<\/p>\n<h2>Background<\/h2>\n<p>Joomla! has its own XSS filters. For example, a user with post permission is not allowed to use full HTML elements. When this user posts an article with HTML attributes, Joomla! will sterilize dangerous code like &ldquo;<strong>javascript:alert()<\/strong>&rdquo;, &ldquo;<strong>background:url()<\/strong>&rdquo; and so on. Joomla! has two ways to achieve this sterilization. On the client side, it uses the editor called &ldquo;TinyMCE.&rdquo; On the server side, it sanitizes the request before storing it on the server.<\/p>\n<h2>Analysis<\/h2>\n<p>To demonstrate these vulnerabilities, the test account &lsquo;yzy1&rsquo; is created. It has author permission, which is not allowed to use full HTML elements.<\/p>\n<p>To bypass the client side sterilization, the attacker can use a network intercept tool like Burp Suite or just change the default editor to other Joomla! built-in editors, like CoodeMirror or None, as shown in Figure 1.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/JoomlaCoreXSS001.png\" style=\"width: 75%;\" \/><\/p>\n<p align=\"center\">Figure 1. Bypassing the client side XSS filter<\/p>\n<p>On the server side, I found two ways to bypass the XSS filters. They are identified as CVE-2017-7985 and CVE-2017-7986.<\/p>\n<h2>CVE-2017-7985<\/h2>\n<p>The Joomla! server side XSS filter sterilizes dangerous code and saves the safe characters. For example, when we post the following code with the test account,&nbsp;<img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/inline%20joomla%201.png\" style=\"width: 484px; height: 16px;\" \/>&nbsp;Joomla! sterilizes it by double quoting the&nbsp;<img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/inline%20joomla%202.png\" style=\"width: 159px; height: 16px;\" \/>,&nbsp;deleting the&nbsp;<img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/inline%20Joomla%203.png\" style=\"width: 109px; height: 15px;\" \/>,&nbsp;and adding safe links to the URLs, as shown in Figure 2.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/JoomlaCoreXSS003.png\" style=\"width: 75%;\" \/><\/p>\n<p align=\"center\">Figure 2. Joomla! XSS filter<\/p>\n<p>But an attacker could take advantage of the filter by trying to let the filter to reconstruct the code and rebuild the scripts. For example, we can add the code<img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/inline%20joomla%20f2.png\" style=\"width: 494px; height: 14px;\" \/>&nbsp;Note that the double quote in&nbsp;<img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/inline%20joomla%20f2%202.png\" style=\"width: 159px; height: 14px;\" \/>&nbsp;is the <strong>CORRECT DOUBLE QUOTATION MARK,<\/strong> as shown in Figure 3.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/JoomlaCoreXSS005.png\" style=\"width: 75%;\" \/><\/p>\n<p align=\"center\">Figure 3. Inserting the PoC for CVE-2017-7985<\/p>\n<p>When victims access the post, regardless of whether it&rsquo;s published or not, the inserted XSS code will be triggered in both the main page and the administrator page, as shown in Figures 4 and 5.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/JoomlaCoreXSS007.jpg\" style=\"width: 75%;\" \/><\/p>\n<p align=\"center\">Figure 4. CVE-2017-7985 PoC triggered in the home page<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/JoomlaCoreXSS009.png\" style=\"width: 75%;\" \/><\/p>\n<p align=\"center\">Figure 5. CVE-2017-7985 PoC triggered in the administrator page<\/p>\n<h2>CVE-2017-7986<\/h2>\n<p>When posting an article, the attacker could bypass the XSS filter in an HTML <img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/joomla%20inline%201.png\" style=\"width: 70px; height: 16px;\" \/>&nbsp;tag by changing the script from&nbsp;<img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/inline%20joomla%20f5.png\" style=\"width: 111px; height: 16px;\" \/>&nbsp;to&nbsp;<img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/inline%20joomla%20f5%202.png\" style=\"width: 156px; height: 15px;\" \/>,&nbsp;because the <img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/joomla%20inline%202.png\" style=\"width: 69px; height: 20px;\" \/>&nbsp;is the mark &ldquo;:&rdquo; in HTML format. The attacker could then trigger this script code by adding a <img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/joomla%20inline%203.png\" style=\"width: 54px; height: 14px;\" \/> tag. For example, the attacker can insert the following code in an article&nbsp;<img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/inline%20joomla%20f5%203.png\" style=\"width: 471px; height: 15px;\" \/>,&nbsp;as shown in Figure 6.&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/JoomlaCoreXSS011.png\" style=\"width: 75%;\" \/><\/p>\n<p align=\"center\">Figure 6. Insert the PoC for CVE-2017-7986<\/p>\n<p>When victims access the post, regardless of whether it&rsquo;s published or not, and click the &ldquo;Click Me&rdquo; button, the inserted XSS code will be triggered in both the main page and the administrator page, as shown in Figures 7 and 8.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/JoomlaCoreXSS013.png\" style=\"width: 75%;\" \/><\/p>\n<p align=\"center\">Figure 7. CVE-2017-7986 PoC triggered in home page<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/JoomlaCoreXSS015.png\" style=\"width: 75%;\" \/><\/p>\n<p align=\"center\">Figure 8. CVE-2017-7986 PoC triggered in administrator page<\/p>\n<h2>Exploit<\/h2>\n<p>Here I provide an exploit example for CVE-2017-7986 that allows an attacker with a low permission account to create a Super User account and upload a web shell. To achieve this, I will write a small piece of JavaScript code for creating a Super User account by using the site administrator&rsquo;s permission. It first obtains the CSRF token from the user edit page&nbsp;<img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/inline%20joomla%208.png\" style=\"width: 337px; height: 15px;\" \/>, and then posts the Super User account creation request to the server with the stolen CSRF token. The new Super User will be &lsquo;Fortinet Yzy&rsquo; with the password &lsquo;test&rsquo;.<\/p>\n<p><script src=\"https:\/\/gist.github.com\/michaelperna\/1f84916267ac67a322b132288ef9417d.js\"><\/script><\/p>\n<p>An attacker can add this code to Joomla! by exploiting this XSS vulnerability, as shown in Figure 9.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/JoomlaCoreXSS017.png\" style=\"width: 75%;\" \/><\/p>\n<p align=\"center\">Figure 9. Adding XSS code<\/p>\n<p align=\"center\">&nbsp;<\/p>\n<p>Once the site administrator triggers this XSS attack in the administrator page, a Super User account will be immediately created, as shown in Figures 10 and 11.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/JoomlaCoreXSS019.jpg\" style=\"width: 75%;\" \/><\/p>\n<p align=\"center\">Figure 10. Site administrator triggers the XSS attack in the administrator page<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/JoomlaCoreXSS021.png\" style=\"width: 75%;\" \/><\/p>\n<p align=\"center\">Figure 11. A new Super User account is created by the attacker<\/p>\n<p>The attacker can then login to Joomla! using this new Super User permission and upload a web shell by installing a plugin, as shown in Figures 12 and 13.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/JoomlaCoreXSS023.png\" style=\"width: 75%;\" \/><\/p>\n<p align=\"center\">Figure 12. Uploading a web shell using the attacker&rsquo;s Super User account<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/JoomlaCoreXSS025.jpg\" style=\"width: 75%;\" \/><\/p>\n<p align=\"center\">Figure 13. Attacker accesses the web shell and executes commands<\/p>\n<h2>Solution<\/h2>\n<p>All users of Joomla! should upgrade to the latest version immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from these vulnerabilities with the signatures <strong>Joomla!.Core.Article.Post.Colon.Char.XSS <\/strong>and <strong>Joomla!.Core.Article.Post.Quote.Char.XSS<\/strong>.<\/p>\n<\/div<br \/><a href=\"http:\/\/blog.fortinet.com\/2017\/05\/04\/multiple-joomla-core-xss-vulnerabilities-are-discovered\" target=\"bwo\" >https:\/\/blog.fortinet.com\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/JoomlaCoreXSS001.png\"\/><\/p>\n<p><strong>Credit to Author: Zhouyuan Yang| Date: Thu, 04 May 2017 17:05:00 -0700<\/strong><\/p>\n<p>Joomla! is one of the world&#039;s most popular content management system (CMS) solutions. It enables users to build custom Web sites and powerful online applications. More than 3 percent of Web sites are running Joomla!, and it accounts for more than 9 percent of CMS market share.    As of November 2016, Joomla! had been downloaded over 78 million times. Over 7,800 free and commercial extensions are also currently available from the official Joomla! Extension Directory, and more are available from other sources.    This year, as a FortiGuard researcher&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-7543","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7543","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7543"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7543\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7543"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}