ed38447971
45 changes to exploits/shellcodes Microsoft Edge - 'UnmapViewOfFile' ACG Bypass JBoss Remoting 6.14.18 - Denial of Service Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < 4.25 - Denial of Service ABRT - raceabrt Privilege Escalation(Metasploit) Joomla! Component Fastball 1.1.0 < 1.2 - SQL Injection Joomla! Component Fastball 1.1.0 < 1.2 - 'league' SQL Injection Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution Dasan Networks GPON ONT WiFi Router H640X 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution EPIC MyChart - SQL Injection TV - Video Subscription - Authentication Bypass SQL Injection UserSpice 4.3 - Blind SQL Injection Twig < 2.4.4 - Server Side Template Injection Joomla! Component Kubik-Rubik Simple Image Gallery Extended (SIGE) 3.2.3 - Cross-Site Scripting Joomla! Component Advertisement Board 3.1.0 - 'catname' SQL Injection Joomla! Component Aist 2.0 - 'id' SQL Injection Joomla! Component AllVideos Reloaded 1.2.x - 'divid' SQL Injection Joomla! Component DT Register 3.2.7 - 'id' SQL Injection Joomla! Component Fastball 2.5 - 'season' SQL Injection Joomla! Component File Download Tracker 3.0 - SQL Injection Joomla! Component Form Maker 3.6.12 - SQL Injection Joomla! Component Gallery WD 1.3.6 - SQL Injection Joomla! Component Google Map Landkarten 4.2.3 - SQL Injection Joomla! Component InviteX 3.0.5 - 'invite_type' SQL Injection Joomla! Component JB Bus 2.3 - 'order_number' SQL Injection Joomla! Component jGive 2.0.9 - SQL Injection Joomla! Component JomEstate PRO 3.7 - 'id' SQL Injection Joomla! Component JquickContact 1.3.2.2.1 - SQL Injection Joomla! Component JS Autoz 1.0.9 - SQL Injection Joomla! Component JS Jobs 1.1.9 - SQL Injection Joomla! Component JTicketing 2.0.16 - SQL Injection Joomla! Component MediaLibrary Free 4.0.12 - SQL Injection Joomla! Component NeoRecruit 4.1 - SQL Injection Joomla! Component Project Log 1.5.3 - 'search' SQL Injection Joomla! Component Realpin 1.5.04 - SQL Injection Joomla! Component SimpleCalendar 3.1.9 - SQL Injection Joomla! Component Smart Shoutbox 3.0.0 - SQL Injection Joomla! Component Solidres 2.5.1 - SQL Injection Joomla! Component Staff Master 1.0 RC 1 - SQL Injection Joomla! Component Timetable Responsive Schedule For Joomla 1.5 - 'alias' SQL Injection Joomla! Pinterest Clone Social Pinboard 2.0 - SQL Injection Joomla Component ccNewsletter 2.x.x 'id' - SQL Injection Joomla! Component Saxum Astro 4.0.14 - SQL Injection Joomla! Component Saxum Numerology 3.0.4 - SQL Injection Joomla! Component SquadManagement 1.0.3 - SQL Injection Joomla! Component Saxum Picker 3.2.10 - SQL Injection Front Accounting ERP 2.4.3 - Cross-Site Request Forgery PHIMS - Hospital Management Information System - 'Password' SQL Injection PSNews Website 1.0.0 - 'Keywords' SQL Injection Oracle Primavera P6 Enterprise Project Portfolio Management - HTTP Response Splitting
28 lines
No EOL
982 B
Text
28 lines
No EOL
982 B
Text
# Exploit Title: Joomla! Component SIGE version <= 3.2.3 Cross-site Scripting
|
|
# Date: 15-02-2018
|
|
# Software Link: https://downloads.kubik-rubik.de/joomla-extensions/plg_sige_v3.2.3.zip
|
|
# Exploit Author: Alwin Peppels
|
|
# Website: www.onvio.nl
|
|
# CVE: CVE-2017-16356
|
|
# Category: webapps
|
|
|
|
1. Description
|
|
Kubik-Rubik Simple Image Gallery Extended (SIGE) contains an XSS in the
|
|
'print.php' file.
|
|
Insufficient sanitization of the 'caption' URL parameter allows injection
|
|
of Javascript into the page.
|
|
In versions <= 3.2.0 the 'name' and 'img' parameters are vulnerable as well.
|
|
Google dork: inurl:plugin_sige/print.php
|
|
|
|
The version of the SIGE plugin can be determined with this file:
|
|
[JOOMLA]/plugins/content/sige/sige.xml
|
|
|
|
2. Proof of Concept
|
|
|
|
|
|
[JOOMLA]/plugins/content/sige/plugin_sige/print.php?img=x&caption=<img%20src=x%20onerror=alert(%27XSS%27)>
|
|
|
|
3. Solution:
|
|
|
|
Update to version 3.3.0
|
|
https://downloads.kubik-rubik.de/joomla-extensions/plg_sige_v3.3.0.zip |