lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CACHTPQieN+0B4EpT3-LH7N0rSqqZQt3N-gK8b-a-TP7jjvMD2w@mail.gmail.com>
Date: Mon, 5 Aug 2013 11:19:06 -0300
From: samelat <samelat@...il.com>
To: bugtraq@...urityfocus.com
Subject: Joomseller "Events Booking Pro" and "JSE Event" reflected XSS

----------------------------------------------------------------------------------------------
 Joomseller "Events Booking Pro" and "JSE Event" reflected XSS
----------------------------------------------------------------------------------------------

[+] Software Link:

http://www.joomseller.com/joomla-components/jse-event.html


[+] Affected Versions:

Component com_events_booking_v5
Component com_jse_event < 1.0.1


[+] Vulnerability Description:

The vulnerable files are the following:

.- For JSE Event:
/modules/mod_jse_mini_calendar/tmpl/tootip.php

.-For Events Booking pro:
/modules/mod_eb_v5_mini_calendar/tmpl/tootip.php

The "info" parameter is not correctly sanitized before being used,
allowing an attacker to perform XSS attacks.

As a proof of concept, an attacker could perform the following request:

http://example.com/modules/mod_eb_v5_mini_calendar/tmpl/tootip.php?info=eyJldmVudHMiOiIoMTU6MDA6MDApIDxzY3JpcHQ%2BYWxlcnQoMSk7PC9zY3JpcHQ%2BIiwgImV2ZW50X2lkIjoiNjQiLCAiaXRlbWlkIjoiMSIsICJldnJfaWQiOiIxMTkxIn0%3D

where the contents of the info parameter is the following payload
encoded using base64 encoding

{"events":"(15:00:00) <script>alert(1);</script>", "event_id":"64",
"itemid":"1", "evr_id":"1191"}


[+] Solution:

Upgrade to JSE Event version 1.0.1.


[+] Report Timeline:

[30/07/2013] - Vulnerability reported to the vendor
[30/07/2013] - Developer confirm vulnerability and update released
[05/08/2013] - Public disclosure


[+] Credits:

Vulnerability discovered by Gaston Traberg.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ