Skip to main content
Sonar.tv
Back
Joomla: Multiple XSS Vulnerabilities, Detected with SonarQube CloudNow Playing

Joomla: Multiple XSS Vulnerabilities, Detected with SonarQube Cloud

SonarQube CloudMarch 13th 20242:34

Watch how SonarQube Cloud's cross-file taint analysis detects multiple cross-site scripting vulnerabilities in the Joomla CMS, demonstrating the power of cloud-based static analysis on open-source projects.

Overview

Joomla, a widely-used free and open-source content management system for building websites and online applications, recently became the subject of significant security research. Sonar's vulnerability research team discovered critical cross-site scripting (XSS) vulnerabilities in the popular CMS platform. The vulnerabilities were identified and analyzed using SonarCloud, demonstrating how modern code analysis tools can detect sophisticated security issues in real-world applications.

Detection and Analysis with SonarCloud

The vulnerability was discovered through systematic analysis using SonarCloud, which immediately flagged the XSS issues in the Joomla codebase. Using SonarCloud's connected mode integration with development environments, researchers were able to view the vulnerabilities directly in the IDE and investigate the root causes of the issues. This capability allowed for deep analysis of the actual vulnerable code paths.

The Root Cause: UTF-8 Handling Differences

The vulnerability stems from the cleanTags method, which is designed to sanitize potentially malicious input by locating opening angle brackets and removing all subsequent data until the corresponding closing bracket is found. The sanitization process relies on two PHP string functions: mbStrPos() and mbSubStr().

However, these functions handle invalid UTF-8 sequences differently, creating a critical vulnerability. When mbStrPos() encounters a UTF-8 leading byte, it attempts to parse continuation bytes until the complete byte sequence is read. If an invalid byte is encountered, all consumed bytes are treated as a single character and parsing restarts. In contrast, mbSubStr() simply skips over continuation bytes when encountering a leading byte. Attackers can exploit this discrepancy to offset the index beyond an opening angle bracket, completely bypassing Joomla's sanitization mechanism.

Impact and Resolution

The vulnerability allows attackers to inject malicious content that evades Joomla's input sanitization, leading to successful XSS attacks. In response to this discovery, Joomla released a security announcement and published version 5.0.3, which mitigates the vulnerability and addresses the underlying issue.

Key Takeaways

  • XSS vulnerabilities in Joomla were discovered through SonarCloud analysis, demonstrating the importance of continuous security scanning
  • The vulnerability exploited differences in how PHP's mbStrPos() and mbSubStr() functions handle invalid UTF-8 sequences
  • Attackers could bypass input sanitization by offsetting indices beyond opening angle brackets using crafted UTF-8 sequences
  • Joomla version 5.0.3 was released to mitigate the discovered vulnerabilities
  • Full technical details are available on the SonarSource blog for security researchers and practitioners