# Exploit Title: Dijitals CMS XSS Vulnerabilities
# Date: 10.06.2010
# Author: Valentin
# Category: webapps/0day
# Version: latest version
# Tested on:
# CVE :
# Code :
[:::::::::::::::::::::::::::::::::::::: 0x1 ::::::::::::::::::::::::::::::::::::::]
>> General Information
Advisory/Exploit Title = Dijitals CMS XSS Vulnerabilities
Author = Valentin Hoebel
Contact = valentin@xenuser.org
[:::::::::::::::::::::::::::::::::::::: 0x2 ::::::::::::::::::::::::::::::::::::::]
>> Product information
Name = Dijitals CMS
Vendor = Dijitals
Vendor Website = http://www.dijitals.com/
Affected Version(s) = latest version
[:::::::::::::::::::::::::::::::::::::: 0x3 ::::::::::::::::::::::::::::::::::::::]
>> XSS
All input fields are vulnerable, e.g. search boxes and forms. The login box
of the admin panel is also exposed to XSS attacks.
[:::::::::::::::::::::::::::::::::::::: 0x4 ::::::::::::::::::::::::::::::::::::::]
>> Additional Information
Advisory/Exploit Published = 10.06.2010
Several filters try to avoid XSS, SQL injection and local + remote file inclusions.
The XSS filters can be tricked by e.g. using String.fromCharCode.
[:::::::::::::::::::::::::::::::::::::: 0x5 ::::::::::::::::::::::::::::::::::::::]
>> Misc
Greetz && Thanks = hack0wn, JosS
[:::::::::::::::::::::::::::::::::::::: EOF ::::::::::::::::::::::::::::::::::::::]