16 lines
703 B
Text
Executable file
16 lines
703 B
Text
Executable file
# Exploit Title: KnowledgeTree 3.5.2 Community Edition Permanent XSS Vulnerability
|
|
# Date: 2010-08-11
|
|
# Author: fdisk (@fdiskyou)
|
|
# e-mail: fdiskyou at deniable.org
|
|
# Software Link: http://www.knowledgetree.com/products/community/download
|
|
# Version: 3.5.2
|
|
# Notes: Fixed in the last version.
|
|
|
|
|
|
Go to search box or search criteria, enter your javascript code and save your search.
|
|
These searches can be shared with all the users enabling us to insert malicious javascript code.
|
|
|
|
POC:
|
|
Load http://localhost/dashboard.php or http://localhost/search2.php?action=searchResults in the textbox enter <script>alert('moo')</script> and save your search.
|
|
Load saved searches to view result.
|
|
|