Kunena Forum Extension for Joomla Multiple Reflected Cross-Site Scripting Vulnerabilities

[vulns@xxxxxxxxxxx]

Kunena forum extension for Joomla multiple reflected cross-site scripting 
vulnerabilities

Class:                  Input Validation Error
CVE                     N/A
Remote                  Yes
Local                   No
Published               02/07/2014

Credit                  Raymond Rizk of Dionach (vulns@xxxxxxxxxxx)
Vendor                  Kunena
Vulnerable              Kunena v3.0.5
Solution Status:        Fixed by Vendor

Kunena Forum is prone to multiple reflected cross-site scripting 
vulnerabilities because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage these issues to execute arbitrary script code in the 
browser of an unsuspecting user in the context of the affected site, steal 
cookie-based authentication credentials, and obtain sensitive information.

Kunena v3.0.5 is known to be vulnerable. Earlier versions may also be 
vulnerable.

To exploit this issue, an attacker must have a user account on the forum. The 
vulnerability affects all pages/tasks that use parameters in the form of 
?parameter[]?. Additionally, the file upload and profile image upload 
functionality are also vulnerable. This can be seen in the proof of concept 
example below:

POST /index.php?option=com_kunena&view=home&defaultmenu=130&Itemid=12
Content-Disposition: form-data; name="avatarfile"; filename="<iframe 
src=javascript:alert('XSS')>"

Vendor informed and a new version (3.0.6) was released on 28/07/2014. Vendor 
recommends updating Kunena to the latest version.