Name : Joomla Health & Fitness Stats Persistent XSS Vulnerability Date : july 12,2010 Critical Level : HIGH vendor URL :http://joomla-extensions.instantiate.co.uk/jcomponents/healthstats Author : Sid3^effects aKa HaRi special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_ greetz to :www.topsecure.net ,All ICW members and my friends :) luv y0 guyz ####################################################################################################### Description To allow users of an Exercise & Fitness community site to be able to record their progress of various health and fitness measures such as body weight, blood pressure, number of press-ups in 60seconds, time for 1000m run etc. Goals can be set by the user which appear as red lines across the graph area. The user is also given the option to create 'custom stats' for which they can set the unit of measurement and whether best is highest or lowest. This component also includes a Central Stats page which pulls together the most recent values of each user for each parameter and averages these for Male and Female users. ####################################################################################################### Xploit: Persistent XSS Vulnerability This vulnerability exists in the comments section. 1. Goto any of the option like HEALTH STATS,FITNESS STATS or CUSTOM STATS 2. Select Add/Update option and insert your xss script :) 3. Once inserted goto Edit records and check your xss :P Attack Pattern:">>

XSS3d by Sid3^effects

DEMO URL : http:///jcomponents/healthstats/statistics-demo