Xorbin Analog Flash Clock 1.0 For Joomla XSS

[Matt]

Description : Xorbin Analog Flash Clock plugin version 1.0 for Joomla suffers from a flash-based cross site scripting vulnerability.

Author : Prakhar Prasad, Rafay Baloch

Source : Xorbin Analog Flash Clock 1.0 For Joomla XSS ? Packet Storm

Code :

====================================================================
Xorbin Analog Flash Clock 1.0 Extension for Joomla Flash-based XSS
====================================================================

Description: This plugin displays analog flash clock on your website. It's easy to use and it's highly customizable. You can add analog flash clock to your website as a widget and use as many clocks as you like on one page

Published: 30-06-2013
Version  : 1.0
Severity : Low to Moderate
CVSS Score: 5
CVE: 2013-4692
Authors  : Prakhar Prasad http://www.prakharprasad.com
           Rafay Baloch http://www.rafayhackingarticles.net
Download : http://extensions.joomla.org/extensions/calendars-a-events/time/clocks/21026
Vendor   : XORBin http://www.xorbin.com/
Google Dork: inurl:mod_xoranalogclock

Details:

The vulnerability exists in "xorAnalogClock.swf" file of this extension, "widgetUrl" and "urlWindow" parameter is taken 
from external input and is passed first into URLRequest() and then to navigateToURL() function.

     Pseudocode: navigateToURL(new URLRequest(_root.widgetUrl), _root.urlWindow);


Proof-of-Concept:

http://domain.tld/joomla/modules/mod_xoranalogclock/media/xorAnalogClock.swf#?urlWindow=_self&widgetUrl=javascript:alert(1);

Clicking on clock will execute the Javascript payload.


Solution: 

Similar method can be applied as described here - https://code.google.com/p/doctype-mirror/wiki/ArticleFlashSecurityGetURL