Joomseller "Events Booking Pro" and "JSE Event" reflected XSS

2013-09-09T00:00:00
ID SECURITYVULNS:DOC:29775
Type securityvulns
Reporter Securityvulns
Modified 2013-09-09T00:00:00

Description


Joomseller "Events Booking Pro" and "JSE Event" reflected XSS

[+] Software Link:

http://www.joomseller.com/joomla-components/jse-event.html

[+] Affected Versions:

Component com_events_booking_v5 Component com_jse_event < 1.0.1

[+] Vulnerability Description:

The vulnerable files are the following:

.- For JSE Event: /modules/mod_jse_mini_calendar/tmpl/tootip.php

.-For Events Booking pro: /modules/mod_eb_v5_mini_calendar/tmpl/tootip.php

The "info" parameter is not correctly sanitized before being used, allowing an attacker to perform XSS attacks.

As a proof of concept, an attacker could perform the following request:

http://example.com/modules/mod_eb_v5_mini_calendar/tmpl/tootip.php?info=eyJldmVudHMiOiIoMTU6MDA6MDApIDxzY3JpcHQ%2BYWxlcnQoMSk7PC9zY3JpcHQ%2BIiwgImV2ZW50X2lkIjoiNjQiLCAiaXRlbWlkIjoiMSIsICJldnJfaWQiOiIxMTkxIn0%3D

where the contents of the info parameter is the following payload encoded using base64 encoding

{"events":"(15:00:00) <script>alert(1);</script>", "event_id":"64", "itemid":"1", "evr_id":"1191"}

[+] Solution:

Upgrade to JSE Event version 1.0.1.

[+] Report Timeline:

[30/07/2013] - Vulnerability reported to the vendor [30/07/2013] - Developer confirm vulnerability and update released [05/08/2013] - Public disclosure

[+] Credits:

Vulnerability discovered by Gaston Traberg.