Joomla Phocagallery 3.0.0 / 4.0.0 Cross Site Scripting

2013-05-14 / 2014-06-29
Credit: Rafay Baloch And Deepankar Arora
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
Dork: inurl:com_phocagallery

# Exploit Title: Joomla com_phocagallery Plupload Flash XSS # Release Date: 13/05/2013 # Author: Rafay Baloch And Deepankar Arora # Contact: http://rafayhackingarticles.net # Vendor: phoca.cz # Versions Affected: 3.0.0 - 4.0.0 # Google Dork: inurl:com_phocagallery Description: The vulnerability with plupload with a known vulnerability, however com_phocagallery uses it, The id parameter is not sanitized. Therefore it results in a flash based xss. The vulnerable code is as follows: this.id = this.stage.loaderInfo.parameters["id"]; As you can see that there is not type of filtering being performed at the id parameter. POC: http://localhost/joomla/components/com_phocagallery/assets/plupload/plupload.flash.swf?id=0\%22))}catch(e){if(!window.x){window.x=1;alert(2)}}// Fix: Sanitize the input. this.id = (this.stage.loaderInfo.parameters["id"]).toString().replace(/[^\w]/g, ''); The above would filter out all the special characters. References: https://github.com/moxiecode/plupload/commit/2d746ee -- Warm Regards, Rafay Baloch http://rafayhackingarticles.net http://techlotips.com

References:

http://rafayhackingarticles.net
http://techlotips.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top