Kod:# exploit title: html injection in autosite php 2.0.3 # date: 3.o3.2o11 # author: lemlajt # software : # version: # tested on: linux # cve : # Description: Some vulnerabilities have been discovered in AutositePHP, which can be exploited by malicious people to conduct cross-site scripting and script/html insertion attacks. 1) Input passed via the "to", "subject", "message" to "autositephp2_0_3/autositephp/index.php?page=users/privatemessages/index.php&folder=inbox&op=send" is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious article is being viewed. In param 1) and 2) there is possibility to insert XSS, but $message param is vulnerable to html injection. 2_ Input passed via the "year" to "autositephp2_0_3/autositephp/index.php?page=pages/Site Stats/index.php" is not properly sanitised before being displayed to the user. This can be exploited to insert arbitary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious article is being viewed. # regards, # lemlajt # *