TOPIC: Security: XSS vulnerability in 4.0 b1

My website which uses JoomlaComment has been hacked. Very sad experience.

The PHP files has malicious javascript appended at the end.

I found a security report: XSS vulnerability in JoomlaComment:
jeffchannell.com/Joomla/joomlacomment-40...vulnerabilities.html

JoomlaComment is listed on the Vulnerable Extensions List:
docs.joomla.org/Vulnerable_Extensions_List

Has this been fixed in Beta2? Can you supply the fix to Jeff Channel for a check?

How very nice it was for this Jeff fellow to practically broadcast an invitation to script kiddies around the blog-o-sphere to attack JoomlaComment

He never received any response from us? Well I can't speak for Daniel of course but I think that is complete BS... somebody as clever as he would not have ignored it!

Unfortunately we did know about this vulnerability but didn't realize the the seriousness of it. Now that it's been announced/made aware via the links you mentioned, I can only imagine it will get worse. The quick fix is to disable the UBBCode. The real fix is to completely re-write the UBBCode parse functions, which Daniel and I have been talking on for months and he is nearly finished the new class for the JoomlaComment 4.1 alpha line.

Of course there is nobody to blame if not us (the developers) but this is a sad and unfortunate side affect of Beta open-source software... now that we are aware of the scale of this thanks to our good friend Jeff here we have already prioritized on responding to this threat ASAP with a quick fix update to Beta 3.

Thanks for letting us know Alex, sorry to hear about your site.

Can someone explain a bit of what this actually means?
I mean, ok UBB Code is easy enough to understand what it is, but I want to know if someone uses this weakness, can they do damage?
XSS is an abreviation that in itself sounds really scary!

Like, can they hack a site to death?

You know, can they gain access to Members details etc, or their E-Mail addresses for potential spamming etc.
Can they alter your codes etc, so you don't have access to your own site?
You know, all that scary stuff?!

Or does it mean they can just post stupid comments about how blueberries can cure flatfeet?

en.wikipedia.org/wiki/Cross-site_scripting

I didn't expect that Jeff is going to disclose the vulnerability. The new ubbcode parsing engine for 4.1 is ready and it stops those prevent these XSS attacks. I will integrate the new ubbcode in 4.0beta2 and release a new version 4.0beta2a, that will address this problem (this evening or tomorrow morning. Up until then, disable ubb support and the website input field.

Is this a problem that effects everyone?
I use the setting whereby only registered users have access to write etc.
So in this way every user must pass a normal registry on the site, so the comments is not available for non-registered users.

Can this XSS still do its thing in this case?
Just for safety I have disbaled the functions you mentioned.

XSS is at the same time not dangerous and dangerous.
It can be just annoying or bring your website down.
If your website is available only for registered users, then those registered users can write can execute an XSS attack.

But for the attack to be successful - you must click the link that they've integrated. (it requires your cooperation)

Anyway, I'll do my best to release the fix tomorrow.

In the event of an XSS injected site, I think the main risk is to the website visitors who do not have an up to date browser or operating system (security patches). AntiVirus also does actually help ("Web Shield" type names like Avast! has) and some Firefox users have extensions to completely allow/ban JavaScript on sites they trust/unknown but in my opinion that's overkill. Keeping Windows Update (or whatever your OS update is) on and using a renown-for-security browser like Firefox 3.5 or Opera 10 is a good enough thing, the most that can happen is stolen data from the users.

As for a website being taken down, XSS can't actually do that. It can help, but it alone can't wreck a server without something else on the server being insecure - XSS just helps find something.

Here's a vital read:


And here's my example of the most severe possible case:

1. "Hacker" finds site that is Joomla powered with XSS vulnerabilities
2. Writes script to steal password from login box from SAdministrator (you can create a new Super Admin account and delete the default one to prevent them guessing the name), or he manually watches all of them and tries all. For any of this to work, the victim who is logging in must have a fairly insecure, unprotected and/or old web browser (or operating system).
3. If /administrator/index.php file is not banned via .htaccess from all unknown IP's (except your own home/work/etc), they're in the backend as easy as that.

I do apologize if this makes anybody feel uneasy. The reality is though, if a reader didn't know about these, as detailed in the Joomla Security/Performance FAQ , then it's a good thing I mentioned it now. Who knows what could of happened down the line for them.

EDIT: Setting the /administrator/index.php file to CHMOD 0 (deny all) isn't listed in that official FAQ... I've never had a problem so I wonder why it isn't mentioned?

Thanks for the tip and explanation!
I have never had any trouble either so far...
Of course, any security problem makes at least me feel worried, as I have no clue in this field!
I rely on updates etc to be secure and tight in these regards.
I also rely on my server manager to have a good firewall system etc of course.

One habit I have though is that I always read what others say about a component, module or plugin before I try it out.

Everything in that link I gave in my last reply is all you need to know Nils. It's part of the official Joomla documentation so we, as Joomla developers, have to assume that everyone of our users has read it and understands it.

As for worrying about an insecure server, exactly as you said is all that's needed. Stay up to date and do your research - even if it's just a little research I apologize for going off topic, it is good to know but there's no reason to be more alarmed than what we already are! As Daniel said - disable UBBCode support and the Website field, and hang in there for the Beta 2a very soon.

Download the file attached in this post.

Uninstall joomlacomment and install the new version.

The only things changed in this version is the new ubb class:
www.christian-seiler.de/projekte/php/bbcode/index_en.html

I've added the necessary code to validate the user input so XSS execution now should be impossible.

I was planning to add all this to 4.1, but since this security hole in joomlacomment was publicly disclosed since august (I never knew that jeff has putted this information online) I have to release a beta2a version.

The only new thing in this release is the prevention of possible XSS attacks.

Later today or tomorrow I will write what exactly was changed. joomlacomment4-20100115.zip

A quick note that may be helpful to people like me...

I did this upgrade, and it installed easy enough.
However, additional plugins and alterations do not follow in the process, and hence must be re-applied.

I got a shock, when at first my Events, Video and Shop gave me a blank page, with a Warning at the top!

But when I looked at the Warning, it was obvious that it was looking for the plugin, that no longer existed. So good advice, have them ready, if you have additional plugins from the base installation.

Also, the language alterations do not follow if you have altered the utils file.

These things are of course pretty easy to figure out, when you think over it, but it came as a small shock on me. -I know, it shouldn't, but a white page has that effect on me..
But immediately after transferring the plugs through the FTP, it worked again.

So all in all, I'd guess this took me around 15 minutes to get it all setup again.
Of course the hacks made to for example Events is not in the !JoomlaComments component, so they do not need to be repeated.

Oh, the Latest Comments module didn't like this at all for some reason.
So I will try to figure out why. It works etc, but not as it should. It only should certain users comments, and the entire comment, not just the title.
So I have Unpublished it for now.

Hey Nils,
sorry about the plugins. I forgot to mention that.
I don't understand what is wrong with the latest comments module? It shows the entire comment? It doesn't work like this for me.

This is a screen grab from my test site of just the module, how it is behaving.
Yes, I've played around with settings etc, but haven't got it yet... it's probably something stupid though. I mean, everything else seems to be fine, so why should this suddenly not be fine?
But, this is the case, both on my test site, and on my production site.

One thing I have just noticed, is that it doesn't seem to want to except dual styling.

By this I mean for example, text that is red and large at the same time, or bold and large at the same time.

Red and bold at the same time is fine.

So the indications stemming from the dropdown menu from the right side, concerning style sizes does not want to co-operate with the others. But it does on its own.

This again is true on both my test site, and production site.

Quick message...
After this install, my site just seems to have grinded to a halt.
The page/site request was using too long to the SQL (line 223, in the libraries - MYSQL.php), so the page was timing out.
Digging desperately around to find out the cause, I altered my template, and now it works again.

So this looks to be some conflict to the template, redevo_aphelion. -Yes I know, this shouldn't be the case, but I can't think of anything else...
I haven't installed anything else, so I am assuming this to be the case, from calculated guesswork really.
Everything has been fine up til now.
The js function of the aphelion template was turned off, it always has been, since this creates a conflict to the Virtuemart Cart function. So this is not the cause either.

I went steadily backwards, de-activating the plugins etc from the !JoomlaComment, but that didn't seem to help.
But, changing the template got it working again.

Once again, I don't know if this has anything to do with the Comment upgrade, but it started shortly after this point (inside a day later).

Here's some server details, so you can see it shouldn't be any problems due to this:

Joomla 1.5.15
Windows IIS/6.0
!JoomlaComment 4.0 beta2
PHP 5.2.6
MySQL 5.0.51a

Heya Nils,

This RedEvo template problem only occurs with Beta 2a? It was OK with the Beta 2 before? Make sure you have the latest version installed from RedEvo

Yes, it is the latest Redevo.
Everything has been fine prior to the beta2 installation, and everything is fine on this other template.
I haven't done any weird template alterations after the beta2 install in case you're thinking that direction.

But, a template change is not the end-of-the-world, so this is more of a comment than anything else.

Well thanks for the comment Nils - I will make sure all the Free templates from Red Evolution are compatible with JoomlaComment 4.1.

Red Evolution comes with a template for joomlacomment or what?