The Joomla! Forum ™

*sigh*
I love Joomla a lot, but in the past 2 weeks, I've found XSS vulnerabilities in 9 different Joomla components:

• Agora Forums
• ccBoard *
• Ninjaboard *
• EasyBook *
• JTag Ticketing System
• uddeIM
• Kunena
• WebAmoeba
• SOBI2 *

* unpublished for now
Where will the madness end?
Edit: updated list of published exploits

_________________
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.

you are running the 1.5.12 ?

_________________
http://www.schrammen.net

Yes. It's not that I'm getting hacked. I installed each of these components, latest versions on ALL of them, and exploited them myself.

Just lamenting, friend...

_________________
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.

Jeff, after your email, we got this issue secured as well as 2 others. Thank you very much for your email earlier today. It couldn't have been better timing as we were about to release Agora 3.0 prior to this.

Now our attachment system will check for actual mime types of any executable type of file

_________________
http://jvitals.com

ok, now it's clear

_________________
http://www.schrammen.net

Hazzaa - I didn't expect a reply to my email here. :P Can you keep me updated as to when the release will be available, so I can publish the article I wrote? I'll try not to do as I did with Kunena (forgot to set the published param, then Google cached it before I even realized).

_________________
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.

It is available now ( http://extensions.joomla.org/extensions ... 91/details ). As for replying to your email here, I think it is perfect allowing others in the community to know (if they use Agora) to update ASAP
We are sending out emails to all our members but this only reaches 7,000+ out of more than 70,000.

Once again, thank you for catching this on our behalf

_________________
http://jvitals.com

Advertise? My exploits? The published ones are on my blog, see the link in my sig...

...the unpublished ones will stay that way for now.

_________________
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.

5 post PM spammer...


recommend add to FOE lists

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Nice catch, I've barely been on today...

_________________
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.

Jeff, though many users have updated, there are many still vulnerable whether through Agora or the other components you have listed. Please be fair to them so they are not hacked.

_________________
http://jvitals.com

Jeff,

Thanks again for picking these up. Is it safe to assume that you've informed the developers of all these extensions, as I'm a user of more than one of them and would hope that updates are being put in place as I type!

Best wishes,

Dave.

_________________
My website: http://www.davidboggitt.com/
Love and hate both devastate you, but at least love takes you to dinner first.

Dave - some have patched, some have replied, and some I've still never heard from.

And to those who don't like my exploits being posted here: that's fine. I believe in full disclosure, and I will be publishing these regardless of who likes it, just not here anymore...

_________________
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.

I'm with you on this one... I think that the devs should be informed of the vulnerabilities and given time to patch their product. Users need to be aware of the vulnerabilities to make a choice over their solution.

Am I to assume you will be publishing on your site/blog instead and why not on the J! extensions forum?

Dave.

_________________
My website: http://www.davidboggitt.com/
Love and hate both devastate you, but at least love takes you to dinner first.

I'll be publishing on my blog, and probably start sending submissions to milw0rm again. As for here, no. No more vulnerabilities will be posted here. I guess it just rubs some people the wrong way...

_________________
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.

We don't publish vulnerabilities here because this is a forum, and not a vulnerability reference site. There are other sites that do a much better job.

The proper way to handle exploits that you find is to first contact the developer and give them an opportunity to respond. If they don't respond within a reasonable amount of time then I think it is fair to publish the exploit.

If you find issues in the core itself, please report them at http://developer.joomla.org/security/co ... -team.html.

When we receive security issue reports we investigate them and assess the priority level and take appropriate action - whether that be fixing in the next maintenance release or if it is severe enough starting the release cycle early.

Ian

The Issue

Various extensions have been found to have security vulnerabilites.

The Method of Reporting

Not all issues listed show as "reported to author/developer" on the site listed from the author of this post. Also according to the site this was not done in some cases (see Kunena post - found here: http://jeffchannell.com/Joomla/kunena-f ... ility.html ) In the comments the purpose for Not reporting was "Jeff Channell--The resulting chaos can be fun to watch sometimes."

The Purpose

While reporting security issues is an excellent thing to do and is everyone's responsibility in the community when these are found it is always wise to give the developers the opportunity to fix the issue.

The Result

By basically posting "How To" guides you have provided hackers and hacker-wannabe's additional opportunities that may not have been completely known before. You have assumed that all the developers of these extensions (which are all mostly free to use) are on YOUR time-schedule. You've also assumed that every single user of these extensions are on YOUR update schedule. This is just because you think it's "fun to watch"?

My Thoughts

Instead of publishing a "How To Guide For Hackers" publish a fix and/or a link to the developer's fix. Your guides give no benefit to the community and instead could cause potential trouble for thousands of sites worldwide - all in the name of your personal enjoyment? I believe that many other community members would/do have serious issues with the approach you took here. Maybe next time you'll consider the negative impact on the community.

_________________
~Matt Lipscomb
http://www.USAFreelancers.org
Professional Joomla! Services and Web Development based in the USA