Keyword

Regarding the Joomla VEL report on K2

  • Lefteris
  • Lefteris's Avatar Topic Author
  • Offline
  • Moderator
More
5 years 4 months ago - 5 years 4 months ago #129246 by Lefteris
Lefteris created the topic: Regarding the Joomla VEL report on K2
For those who are not aware, the Joomla! Vulnerable Extensions List (VEL) vel.joomla.org is a directory where any Joomla! extension which is found to have security vulnerabilities is listed. This is done to inform both users and developers about the possible security risks. The VEL team also notifies the Joomla! Extensions Directory (JED) team for vulnerable extensions which in turn unpublish vulnurable extensions to protect users from using them.

Yesterday June 10th, the VEL team announced that an XSS vulnerability was found in K2.

The report on the VEL website is here: vel.joomla.org/vel-blog/1332-k2-content-extension-2-6-8.html - and here is the original report sent to the VEL (as it was sent to us too) jmp.sh/v/duPCAStUdsd478SMDy6r

We were informed about this through email and K2 was unpublished from the JED a day after despite our efforts to explain to the VEL team that it's NOT a security issue. No, there is no XSS vulnerability in K2. And the K2 listing in the Joomla Extensions Directory (JED) got unpublished right away: extensions.joomla.org/extensions/authoring-a-content/content-construction/8061

The report we received was indicating the vulnerability in the K2 media manager. Just try to create a new folder using the K2 media manager and give the following as folder name:
<script>alert(1)</script>
The code does get executed. But this does not make it an XSS vulnerability. The only person you can hack with this is... yourself. Let us explain.

Persistent XSS attacks
This is the scenario when the attacker is posting malicious code (in a comment for example) which is saved without being checked. In that case the next user who will read the comment will execute the code without knowing. In our case, the code is not saved anywhere, the database or the file system. So this will prevent persistent XSS attacks.

Non-persistent XSS attacks
This is the scenario when the attacker is using the page input data to inject malicious code in that page. The attacker builds a URL like yoursite.com/?id=MALICIOUS_CODE_GOES_HERE . A user who will click this link will also execute the malicious code without knowing. Is this possible in our case? The answer is no.

To summarise, there is no (known until now) way to apply an XSS exploit in K2 using its media manager.

The VEL team should be a little more careful in the future when assessing security reports on Joomla extensions. If such a report (like in the case of K2) is false, panic can easily be spread among users, especially when affected extensions are also unpublished from the Joomla Extensions Directory (JED).

We have contacted back the VEL team and we have also reported this issue in the JED team, as well as making it public so people (K2 users) know what's going on and why K2 got unpublished yesterday.

K2 is considered to be one of the most secure extensions for Joomla, ever. It was audited from the Joomla core team back in 2010 when it was used to build the Joomla Magazine website. Since then, there had been only 1 report in the VEL about K2 and this report was again a bit questionable on how it could actually harm a website (given real world circumstances, not academic theories).

DISCLAIMER: If the VEL team can find a way to apply an exploit based on this report, I will recall everything immediately and apologize publicly. The VEL is a working group (WG) in Joomla of utmost importance. It helps keep the entire community safe from harmful extensions for Joomla. But we do need to ensure that these processes work properly.


Update 1: Added a link to the original report sent to the VEL team
Update 2: It's been around 7 hours since this post and more since we emailed back the VEL team and posted in the JED helpdesk to re-publish K2. Still no word either from the VEL or JED teams.
Update 3 - June 12th, 1:36 AM (GMT): K2 is now re-published in the Joomla! Extensions Directory - huge thanks to the JED team for their prompt response ow.ly/xUcjK

IMPORTANT: Please search the forum before posting a question!

JoomlaWorks Support Team Member

---
JoomlaWorks
www.joomlaworks.net/

Please Log in or Create an account to join the conversation.


Powered by Kunena Forum