jakcms 2.0 pro rc5 - Persistent Cross-Site Scripting via useragent http header Injection

EDB-ID:

16128

CVE:


EDB Verified:

Author:

Saif El-Sherei

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2011-02-07

Vulnerable App: 
# Exploit Title: JAKCMS 2.0 PRO RC5 stored XSS via useragent HTTP header
Injection
# Date: 7-2-2011
# Author: Saif El-Sherei
# Software Link:
http://php.opensourcecms.com/scripts/redirect/download.php?id=480
# Version: JAKCMS PRO 2.0 RC5 and probably earlier version
# Tested on: Firefox 3.0.15, , IE 8
# Vendor Notified: vendor notified"7-2-2011", awaiting vendor response.
# Vendor Respons: http://www.jakcms.com/tracker/t/12/jakcms-2-pro-rc5-stored-xss-via-useragent-http-header-injection
# Google Dork: "Powered By JAKCMS"

Info:
Our content managament system PRO is made for professional websites any
kind. Content publishing, Forum, Blog, Events, Gallery, Tags, News,
Newsletter, Search, Security and more - the PRO has it all. CMS PRO is the
choice for people who are serious about creating thriving online websites.

Details:

An attacker can exploit this vuln since using an intercepting proxy, where
an attacker can modify the "user-agent HTTP header" the Header is displayed
and stroed unsantized in the admin logs on failed and successful logins.

POC:

useragent: <script>alert('XSS')</script>

Regards,

Saif El-Sherei
OSCP
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services