Full Report
Sonar Source people go crazy on web security issues! Definitely one of the best blogs to read through for cutting edge security research. In this case, they have a wild XSS in the Joomla CMS. The CMS was removing all HTML tags besides ones that were not explicitly allowed. To do this, the function cleanTags removes all of the illegal content about the tag (attributes and things) but leaves the value within the tag alone. This code is very security sensitive. So, while reviewing the implementation in detail, they noticed that mb_strpos and mb_substr handle invalid UTF-8 sequences differently. Formb_strpos, if it encounters an invalid sequence it jumps back to the second byte being processed. The other function skips over the continuation bytes when this happens. The inconsistency creates a major problem - it may be possible to smuggle in angle brackets and other useful characters by abusing this. Since one function uses a different index than another, it processes different information. By inserting multiple invalid UTF-8 sequences to break the offsetting math in the various functions. By inserting multiple invalid UTF-8 sequences to break the offsetting math in the various functions. For instance, \xF0\x9FAAA will see the invalid sequence and add the as a valid part of the processing even though much of it was thrown out. PHP actually fixed the underlying issue to this problem but didn't backport it because they didn't consider it a security issue. Overall, a fascinating issue of exploiting the intricacies of multibyte characters. Super post with awesome diagrams explaining the vulnerability.
Analysis Summary
# Vulnerability: Joomla XSS via PHP Multibyte String Inconsistency
## CVE Details
- **CVE ID:** CVE-2024-21726
- **CVSS Score:** Not explicitly listed in text, but categorized as leading to Remote Code Execution (High/Critical potential).
- **CWE:** CWE-79 (Cross-site Scripting), CWE-177 (Inconsistent Interpretation of HTTP Messages/Data)
## Affected Systems
- **Products:** Joomla CMS
- **Versions:** 5.0.2 and below; 4.4.2 and below.
- **Configurations:** Systems running on PHP versions where `mbstring` functions handle invalid UTF-8 sequences inconsistently (specifically PHP versions prior to 8.3/8.4).
## Vulnerability Description
The vulnerability stems from an inconsistency in how PHP's `mbstring` extension functions handle invalid multibyte sequences. Joomla's `InputFilter::cleanTags` method relies on these functions to identify and remove malicious HTML tags.
Technically, `mb_strpos` and `mb_substr` behaved differently when encountering invalid UTF-8:
1. **mb_strpos**: When it encounters an invalid sequence (e.g., a leading byte `\xF0` followed by an invalid continuation byte), it may jump back to process the second byte.
2. **mb_substr**: Skips over continuation bytes entirely when an invalid sequence is found.
By crafting a payload with invalid UTF-8 sequences (e.g., `\xF0\x9FAAA<script>`), an attacker can "desynchronize" the offset math between these two functions. This allows an attacker to smuggle angle brackets (`<`, `>`) through the filter, as one function perceives the character as part of a multibyte sequence while the other perceives it as a literal character, effectively bypassing the `cleanTags` sanitization logic.
## Exploitation
- **Status:** PoC available (detailed in research).
- **Complexity:** Medium (requires knowledge of multibyte character handling).
- **Attack Vector:** Network (tricking an administrator into clicking a malicious link).
## Impact
- **Confidentiality:** High (Session hijacking of administrators).
- **Integrity:** High (Modification of site content; potential Remote Code Execution).
- **Availability:** High (Potential for full site takeover).
## Remediation
### Patches
- **Joomla:** Update to version **5.0.3** or **4.4.3**. These versions replace multibyte-aware string functions with standard string functions (like `strpos` and `substr`) in security-sensitive filtering paths.
- **PHP:** Update to **PHP 8.3** or **8.4**. Note: PHP did not backport this fix to older versions as they did not classify the underlying inconsistency as a security bug.
### Workarounds
- No specific software workarounds are provided; immediate update of the CMS is the primary recommendation.
## Detection
- **Indicators of Compromise:** Look for URL parameters containing invalid UTF-8 sequences (e.g., hex codes like `\xF0` followed by alphanumeric characters and HTML tags).
- **Detection Methods:** Monitor web server logs for suspicious activity targeting the `forcedItemType` or other query parameters processed by Joomla’s core filter. Utilize static analysis tools (like SonarQube) to identify reflected parameters using `Joomla\Filter\InputFilter`.
## References
- **Vendor Advisory:** [https://developer.joomla.org/security-centre/929-20240205-core-inadequate-content-filtering-within-the-filter-code.html](https://developer.joomla.org/security-centre/929-20240205-core-inadequate-content-filtering-within-the-filter-code.html)
- **Sonar Technical Analysis:** [https://www.sonarsource.com/blog/joomla-multiple-xss-vulnerabilities/](https://www.sonarsource.com/blog/joomla-multiple-xss-vulnerabilities/)
- **PHP Fix/CVS:** [https://github.com/php/php-src/pull/12913](https://github.com/php/php-src/pull/12913)