Elefant CMS 1.0.2 Cross Site Scripting

2012-03-01T00:00:00
ID PACKETSTORM:110367
Type packetstorm
Reporter Karthik R
Modified 2012-03-01T00:00:00

Description

                                        
                                            `  
elefantcms  
vendor: http://www.elefantcms.com  
Version: Latest stable release: 1.0.2  
Author: Karthik R (3psil0nLambDa)  
Email: Karthik.cupid@gmail.com  
My blog: www.epsilonlambda.wordpress.com  
Google dork: Powered by Elefant CMS  
  
------------------------------------------------------------------------------------------------------------------------------------------------------------  
  
Description about the CMS  
  
Elefant is a content management system written in PHP that includes a modern PHP framework for web developers. Elefant is easy-to-use and straight-forward for all levels of users. It is also secure, fast, well-documented, and well-tested.  
  
Elefant's admin tools are minimalist without sacrificing flexibility. We wanted a system that even our moms could use with little or no help, but that power users will enjoy using too. So we made hard choices to keep a lot of needless complexity out.  
  
Instead, we focus on providing a solid editing experience out-of-the-box, well-considered default settings, and just the right set of features to satisfy 90% of the sites we encounter, as opposed to sacrificing simplicity in order to solve every possible edge case.  
  
------------------------------------------------------------------------------------------------------------------------------------------------------------  
* PERSISTENT XSS VULNERABILITY :  
  
In the admin panel, input the TITLE and BODY with the following code, leading to Persistent XSS exploit in the CMS  
  
Exploit: <IFRAME SRC="javascript:alert('XSS');"></IFRAME>  
  
------------------------------------------------------------------------------------------------------------------------------------------------------------  
`