Joomla! is one of the world's most popular content management systems (CMS). It enables users to build Web sites and powerful online applications. More than 3 percent of Web sites are running Joomla!, and it accounts for more than 9 percent of CMS market share.
As of July 2017, Joomla! has been downloaded over 82 million times. Over 7,800 free and commercial extensions are available from the official Joomla! Extension Directory, and more are available from other sources.
In my last blog, I discovered 2 Cross-Site Scripting (XSS) vulnerabilities in Joomla!. They are identified as CVE-2017-7985 and CVE-2017-7986. After analyzing the patches for these issues, I discovered 3 more XSS vulnerabilities. Joomla! still identifies these 3 new vulnerabilities as CVE-2017-7985, and has posted a separate security announcement.
As detailed in my last blog, these vulnerabilities exist because Joomla! fails to sanitize malicious user input when users post or edit an article. Remote attackers could exploit these vulnerabilities to run malicious code on a victim’s browser. This could allow the remote attacker to gain control of the victim’s Joomla! account. However, if the victim has higher permission, like system administrator, the remote attacker could actually gain full control of the web server.
These vulnerabilities affect Joomla! CMS versions 1.5.0 through 3.7.2. In this blog, I will share the details of these vulnerabilities.
In the patches for CVE-2017-7985 and CVE-2017-7986, Joomla! filtered special characters, like the right double quotation mark, and dangerous HTML codes like “formaction.” But the filtering process is similar to a blacklist sanitizer, which means it simply matches the bad codes and drops them.
In this analysis I use the same test account ‘yzy1’ as in my last post. This account only has publisher permission, which means it’s not allowed to use full HTML elements.
In the CVE-2017-7985 and CVE-2017-7986 patches, Joomla! sanitized my PoC
as shown in Figures 1 and 2.