Thanks Emilio for reporting. ^_^

Thank you, @epinna, for being a script kiddie.

You do not really discover this, but copy&paste a report from another hacker from years ago, and the developer of idna_convert still did not remove this example file and being one attention whore before someone else steal your "discovery".

Have a nice day, *******.

I have no use to copy, the xss was found grepping around the code, and there were no joomla related advisory about this. The advisory (published after the patch) is relevant because a buggy software was included for the 3 latest versions of the most currently used CMS. Also, please don't flame on Github, use email to criticize.

You lie, @epinna . Spreads FUD about something that does not even know what it is.

• "Systems Affected Joomla-CMS <= 3.1.5". This is technically wrong and is just not sure if you just lie or is incompetent. Most Joomla sites still using 2.5 and 1.5, but you claims that they are vulnerable.
• Even, after you publish a wrong information, discover the truth, you will keep all the sites that spread this lie, irresponsibly, just for "be more famous"?
• You don't understand the difference of commit to a developer branch and release the software for end users and release this information before a patch. This is why you report will not be published on any exploit site with moderation, but only your blog, pastebin or some open mail list.
• Sorry, but if any developer go public because discover something using automated software or logic that true hackers publish, and then release wrong information deserves to be criticized publicly.

I do not know how old you are, but please stop and go first understand hacker ethic. Or at least improve his technical knowledge to not embarrass your name and people like me can not call it a "script kiddie" and ask for "send help via e-mail"

I don't lie, my previous answer is totally true :)

I agree with you about the version: I was wrong writing <= 3.1.5 instead of 3.x, I correct immediately on my blog after the clarification gave me on bugtraq. I'm sorry about this imprecision, I accept your critic about this. On the other hand there is no reuse of "automated software or logic that true hackers(!) publish", using grep on code for this silly xss can barely called code analysis.

I think that the full disclosure was useful to permit users to remove the injection point: If I didn't have published this advisory, the bugged file had be spread for others weeks.

Personal insults have no place here - seriously!

Looking back at what happened, some serious mistakes were made by Emilio:

1. he reported a vulnerability on this (public) tracker. That should have been done to the JSST.

2. he disclosed the vulnerability (on his Dissecting-blog and on Security Focus) with details before the issue was fully solved. The vulnerable file was removed from the repository, but the current 3.1.5 version was/is not officially patched with a new release yet. As stated on his blog: "The patch was applied in git but the last official version 3.1.5 is still vulnerable."

Although the vulnerability is not as severe as he describes while disclosing, I don't think this is in any way tolerable. The least to say is his acting is not in favour of the Joomla-project. Personal insults have no place here, I wholeheartedly agree, but in this case it is not easy to stay polite...

It is easy to stay polite. There is no excuse for personal insults.

If you can't stay polite - just go away -- Please.

@epinna Good work!

@fgeek what do you mean? I don't think disclosing details of a leak in Joomla before a patched version is released is good. Or do you mean anything else?

http://disse.cting.org/2013/08/05/joomla-core-3_1_5_reflected-xss-vulnerability/
Especially this sentence: "The patch was applied in git but the last official version 3.1.5 is still vulnerable".

Yes that was not a good move, but good work for informing vendor anyhow. It does not always happen. It is not always easy as one can see from this issues discussion.

In short: I like to see vulnerabiltiies patched

My point is, that if you care about Joomla and find a vulnerability you
1. inform the Joomla project (esp. the JSST), not public
2. you only disclose details after a patched version is released for some time

Other ways of acting are not just "not a good move" but harmful to the Joomla project. I don't think it is a very good excuse to say: "the full disclosure was useful to permit users to remove the injection point: If I didn't have published this advisory, the bugged file had be spread for others weeks." That would at most been a valid argument for the advice to remove libraries/idna_convert/example.php, not any details why, what and how. Not only on his blog, but also other sites that are a good source of information for malicious hackers. Therefore I doubt the "noble motives"of @epinna (like @fititnt does, although his wording should have been politer). And I think he should not get a "thank you" or "good work", but: please don't you ever do something like that again if you find a vulnerability; you now know how it shoud be done (see the above 2 points).

In this current case it is better that reporter did report the issue even he did not do it in the best way possible. You should note that not all people use/respect same disclosure policies or guidelines (or know them). Some does not even care to report if they find vulnerabilities. You misunderstood me before. I did not want to say it was correct to announce vulnerabilities before properly contact vendor.

Quoting #1658 (comment)

You do not really discover this, but copy&paste a report from another hacker from years ago, and the developer of idna_convert still did not remove this example file and being one attention whore before someone else steal your "discovery".

Years ago... what?

Reporting vulnerabilities might be tricky business. Sometimes vendors doesn't reply at all. I have seen this already with Joomla when I had requested information about vulnerabilities. Not saying that Joomla hasn't responded to security@ emails when someone reported something, but it has definitely happened with other vendors. I have also seen comments that XSS is not so critical security vulnerability that it would need proper disclosure process. I'd say that is wrong :)

There might be lots of reasons why disclosure was not done by following http://docs.joomla.org/Filing_bugs_and_issues#Reporting_security_issues but in any case it clearly did not justify insults.

FYI this page is linked from within Nessus when it identifies the issue.