Hi I’m Mikhail Sosonkin , a Synack Red Team member. Being a builder and a hacker at heart, my interests are in vulnerability analysis, automation, malware and reverse engineering. I’ve gotten the opportunity to conduct and present my own research on these topics at conferences around the world. Here is one of my recent blogs – read and enjoy!
Joomla SIGE is a popular extension for creating image galleries within the Joomla CMS . An injection vulnerability was discovered that enables execution of a Cross Site Scripting (XSS) attack. The extension does not sanitize the text that it retrieves from the image header. Once published online the the image will cause the browser to load malicious content.
The version I tested against is 3.2.3 from the Joomla extensions page [0].
In the htmlImageAddTitleAttribute function, the title of the image is incorporated into the the HTML:
On line 1669 of sige.php:
The variable image_description is not escaped properly and allows any character to be sent to the user. The value of this variable is obtained via the getimagesize function in iptcInfo function on line 1515:
The the source of the data of the image description is not escaped and allows the HTML special characters to make their way to the user’s browser.
In order to take advantage of this vulnerability the attacker needs to prepare an image with malicious content:
This can be done by rewriting the Caption-Abstract header object in a JPEG file using the exif command line tool. In the value, the attacker places a script tag which loads JavaScript from an attacker controlled web server. Since the content will be injected into an xss.js will do is clean up. Note that the clean up code has to protect from cleaning up twice because the EXIF caption is inserted twice by the SIGE plugin.
var imgs = parent.getElementsByTagName(“img”);
var as = parent.getElementsByTagName(“a”);
as[0].title += imgs[0].getAttribute(“s”);
imgs[0].remove();
imgs[0].setAttribute(“src”, imgs[1].getAttribute(“src”));
imgs[1].remove();
// console.info(“Now do evil things :-)”);
}, 200);
}
Even though this isn’t stricly necessary, clean up is good so that users don’t tip off the developers or administrators. This clean up code will remove the script tags and the corrupted image tags but it will maintain a thread of execution to throw browser exploits [1], javascript key loggers [2] or bitcoin miners [3].
To fix the vulnerability, the image description field needs to be sanitised in the htmlImageAddTitleAttribute function, before it reaches the HTML content. PHP provides the htmlspecialchars function to do this. Thanks to Viktor Vogel of Kubik-Rubik for fixing and releasing an update very quickly [4]!
In my tests I was able to confirm that version 3.3.1 is not vulnerable to this exploit. The above code on line 1321 maps over all the data retrieved from the image and applied the htmlspecialchars function. This ensures that everything from the EXIF header is properly escaped before it is presented to the user.
0 – Joomla! Extensions Directory
1 – A Peek Inside the ‘Eleonore’ Browser Exploit Kit
2 – Javascript-Keylogger
3 – brominer.com
4 – SIGE Joomla Extension
Synack provides initiatives to help foster the researcher community and engage top talent; technology to optimize researcher efficiency and accelerate vulnerability discovery, opportunities to work on unique targets, personalized support, and skills development. We do this through the Synack platform and our SRT Levels program which includes fun competitions, gamification, mentorship, and specialized projects.
Apply to join the Synack Red Team and become one of the chosen few. We provide the best support for our researchers, and put the highest quality, most relevant features into our platform – it was designed by hackers for hackers.
If you’re up for the challenge, apply today , and use code “SRTBLOGS” in your application.
best cc shops 2019 dumps with pin legit