JOOMLA KUNENA 3.0.4 CROSS SITE SCRIPTING

Description


"Kunena is the leading Joomla forum component. Downloaded more than 3,750,000 times in nearly 6 years."

Kunena is written in PHP. Users can post a Google Map using the following BBCode
[map]content[/map]

Kunena creates a JavaScript based on input, but doesn't decode it correctly.


Analysis


Vulnerable function in \bbcode\bbcode.php (lines 1049-1116)

1049function DoMap($bbcode, $action, $name, $default, $params, $content) {
...
1078$document->addScriptDeclaration("
1079// <![CDATA[
...
1097var contentString = '".JText::_('COM_KUNENA_GOOGLE_MAP_NO_GEOCODE', true)." ".json_encode($content)."
';
...
1112// ]]>"
1113);

Single quotes remain untouched in $content, so it's possible to break out of encapsulation.