BigAce 2.7.2 Cross Site Scripting

`# Exploit Title: Multiple XSS (non/persistant) in BigAce 2.7.2  
# Date: 18.06.2010  
# Author: lem  
# Software Link: http://www.bigace.de  
# Version: 2.7.2  
# Tested on: Ubuntu 10 LTS  
# CVE : nope  
# Code :  
  
There is a XSS vulnerability in login page.  
http://localhost/cmz2/bigace2.7.2/public/index.php?cmd=application&id=-1_tauth_klogin_len  
  
to see it, type in login and password: ">  
(its POST $UID and $PW value). If You use for example DataTamper You can set  
XSS for $language variable as well.  
So there is an option to XSS by $UID, $PW and $language.  
  
  
Its also possible to make XSS attack by search engine (DataTamper +  
$language = {xss}).  
  
In admin panel we can do xss via GET:  
http://localhost/cmz2/bigace2.7.2/public/index.php?cmd=admin&id=fileAdmin_tADMIN_len&data[id]=1&adminCharset=  
">&data[langid]=en&mode=rap  
  
next:  
  
http://localhost/cmz2/bigace2.7.2/public/index.php?cmd=admin&id=fileAdmin_tADMIN_len&data[id]=  
">&adminCharset=&data[langid]=en&mode=rap  
  
XSS found also with $desingName, $description.  
When setting new user, click to 'userdata'. Here you have 11 form field -  
all exploitable by XSS:  
$mode,  
$data_id/firstname/lastname/homepage/phone/mobile/fax/company/street/city/citycode/country.  
  
When creating new user $userName is vulnerable to XSS.  
  
When we get to logging page (admin panel): variables $start, $amount,  
$namespace and $level.  
  
Statistic page is the same... This tame $mode var is vulnerable.  
  
Thats (maybe) all. ;)  
--  
Best regards,  
Jakub  
`