Skip to Content Skip to Menu

🕒 Save Time and Effort with CB Editor Assistant: Effortlessly create and refine content in Joomla 3, 4, & 5.
🎁 Limited Offer: Enjoy a 5-day FREE trial and save up to 30% afterward!
Try It!

Cross-site scripting vulnerability caused by CB Connect

  • krileon
  • krileon
  • ONLINE
  • Posts: 48708
  • Thanks: 8319
  • Karma: 1447
12 years 2 months ago #213724 by krileon
Re: Cross-site scripting vulnerability caused by CB Connect was created by krileon
Vulnerability where? We can't be responsible for the connect sites JS. Please disable the connect sites 1 by 1 instead of the whole plugin to see which specifically is causing it. Please also PM me exact steps to duplicate.

Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.

Please Log in or Create an account to join the conversation.

12 years 2 months ago #213757 by timurdavidov
Replied by timurdavidov on topic Re: Cross-site scripting vulnerability caused by CB Connect
I had only Facebook enabled.

Please Log in or Create an account to join the conversation.

  • krileon
  • krileon
  • ONLINE
  • Posts: 48708
  • Thanks: 8319
  • Karma: 1447
12 years 2 months ago - 12 years 2 months ago #213929 by krileon
Replied by krileon on topic Re: Cross-site scripting vulnerability caused by CB Connect
I see you still have CB Connect enabled. Using the two links you provided I'm not seeing any sort of vulnerability. It simply displays the page in the URL as normally. What browser are you seeing this on? I also can't produce any such issue locally so do not see how this could be coming from CB Connect. If possible please PM me further details on how I can replicate this issue reliably.

Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Last edit: 12 years 2 months ago by krileon.

Please Log in or Create an account to join the conversation.

12 years 2 months ago #214152 by timurdavidov
Replied by timurdavidov on topic Re: Cross-site scripting vulnerability caused by CB Connect
Yes, I enabled it for you to look at. The vulnerability wasn't being detected when it was disabled.

I used Firefox and Chrome to test those URLs and it clearly showed vulnerability while CB Connect was up.

That is, while CB Connect was up, the URLs were accepting a script at the end of the URLs and executing it.

Only Facebook is enabled in CB Connect.

Please Log in or Create an account to join the conversation.

  • krileon
  • krileon
  • ONLINE
  • Posts: 48708
  • Thanks: 8319
  • Karma: 1447
12 years 2 months ago - 12 years 2 months ago #214185 by krileon
Replied by krileon on topic Re: Cross-site scripting vulnerability caused by CB Connect
I'm not seeing this issue in Firefox, Chrome, or IE. The only way this could happen is if the return URL was not escaped, but it is and I can clearly see it being escaped in the script in your header that is prepared by CB Connect.

I'm not sure what more to advise, perhaps an issue with your browser it self? Was CB Connect modified in any way? The plugin url function in the class file is what prepares the return URL (you can see it htmlspecials and adds slashes properly, javascript urls won't even render without slashes being added).

Is this happening while just visiting one of the URLs that you supplied? Happening while logged in? Happening after clicking FBC and logging in? Please PM me exact steps to duplicate.

Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Last edit: 12 years 2 months ago by krileon.

Please Log in or Create an account to join the conversation.

12 years 2 months ago - 12 years 2 months ago #214306 by timurdavidov
Replied by timurdavidov on topic Re: Cross-site scripting vulnerability caused by CB Connect
Kyle,

As per my most recent private message to you, I now understand why you didn't see anything. The problem is that when I posted the URLs here and in the earlier PM, the script tags that were originally in the URLs were stripped off from those URLs when I posted the message. I simply forgot to use the code tags here.

This is what was stripped off, which was at the end of the URLs:
Code:
?foobar'});}};--></script>foobar2<script>alert(42)</script>

Example:
Code:
mysite.com/category1/category2/category3_c85/?foobar'});}};--></script>foobar2<script>alert(42)</script>

But you should check my latest pm for the actual URLs.
Last edit: 12 years 2 months ago by timurdavidov.

Please Log in or Create an account to join the conversation.

Moderators: beatnantkrileon
Powered by Kunena Forum