John CMS 5.1 Cross Site Scripting

2013.09.10

Credit: DevilScreaM

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

#Exploit Title : JohnCMS 5.1 Persistent XSS Vulnerability
#Author : DevilScreaM
#Date : 08/09/2013
#Category : Web Applications
#Vendor : http://johncms.com/
#Product Link : http://johncms.com/download/?cat=481
#Version : 1.0 - 5.1
#Dork
intext:Powered by JohnCMS
#Vulnerability : Persistent XSS Vulnerability
#Tested On : Windows 7 32 Bit, Window XP (Mozila & Chrome)
#Greetz : Newbie-Security.or.id
Persistent XSS Vulnerability
1. Register to Web http://site/registration.php
2. After Register, go to Forum (http://site/forum/)
3. Select Sub Forum, and CLick New Topic
4. At "Tags" Input your XSS
Example <h1>Tested by DevilScreaM</h1>
Screenshot at New Topic
http://i43.tinypic.com/6o2xad.png
==============================================================================
Example XSS
http://www.waptok.asia/forum/index.php?id=298
http://www.waptok.asia/forum/lol123_298.html

References:

http://johncms.com/download/?cat=481

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

John CMS 5.1 Cross Site Scripting

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.