Joomla Jnews 8.0.1 Cross Site Scripting

2013.05.14
Credit: Deepankar Arora And Rafay Baloch
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
Dork: inurl:com_jnews

# Exploit Title: Joomla com_jnews Open Flash-Chart XSS # Release Date: 14/05/2013 # Author: Deepankar Arora And Rafay Baloch # Blog: http://rafayhackingarticles.net # Vendor: www.joobi.co # Versions Affected: 8.0.1(latest) and earlier # Google Dork: inurl:com_jnews Description: The vulnerability with Open-Flash Chart is a known vulnerability, however it is integrated with com_jnews, The get-data parameter is not sanitized. Therefore it results in a flash based cross-site scripting. The vulnerable code is as follows: var _local2 = open_flash_chart_data "; if (this.chart_parameters ["get-data"]) { _local2 = this.chart_parameters ["get-Data"]; }; if (this.chart_parameters ["id"]) { _local3 = this.callExternalCallback (_local2 this.chart_parameters ["id"]); } else { _local3 = this.callExternalCallback (_local2); }; We can see from the code that when called, get-data parameter is directly passed to _local2 without proper sanitization. POC: http://localhost/joomla/components/com_jnews/includes/openflashchart/open-flash-chart.swf?get-data=(function(){alert(document.cookie)})() Fix: Sanitize the input. _local2 = (this.chart_parameters ["get-Data"]).toString().replace(/[^\w]/g, ''); The above would filter out all the special characters. References: http://www.wooyun.org/bugs/wooyun-2010-07265

References:

http://www.wooyun.org/bugs/wooyun-2010-07265


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top