Zoho Planner suffers from cross site scripting and frame injection vulnerabilities.
ebec7c05f7c94155b4b5e0444c1f1b110c3b8fd5737d4d82613b4821e0b15118
# Exploit Title: IFrame Injection/Cross Site Scripting Zoho Planner
# Date: 26.03.2012
# Author: Sony and Flexxpoint
# Software Link: https://planner.zoho.com/login.do
# Web Browser : Mozilla Firefox
# Blog Flexxpoint: http://flexxpoint.blogspot.com/
# Blog Sony: http://st2tea.blogspot.com
# Site : http://insecurity.ro
# PoC:
http://st2tea.blogspot.com/2012/03/iframe-injection-zoho-planner.html
..................................................................
Well, we have simple IFrame Injection in Zoho Planner. A lot of fields in
Planner vuln to IFrame Injection.
Some pics:
http://1.bp.blogspot.com/-TeEgX-Bolyo/T3BbmuhsWfI/AAAAAAAAA3o/GZ44l0hxilA/s1600/planner.JPG
And we can share this page:
http://1.bp.blogspot.com/-kDhbFNr4Bts/T3BcA6qb9nI/AAAAAAAAA30/eAVwUeu0qSs/s1600/page.JPG
http://4.bp.blogspot.com/-cKc87zx7Jp8/T3BdPwYeq8I/AAAAAAAAA4A/brbijHo-R9U/s1600/zz.JPG
Links:
https://planner.zoho.com/public/9cFPJ%2B9AHivFeKtB5e%2B2xnTSQcOn7WCf
https://planner.zoho.com/public/9cFPJ%2B9AHivFeKtB5e%2B2xq%2BYywariZ7J
Video PoC: (simple)
http://www.youtube.com/embed/gUlby00Ai04
and Cross Site Scripting:
http://img62.imageshack.us/img62/9804/screenshot2732012.png
Persistent XSS.
https://planner.zoho.com/public/umYocnKNsn3FeKtB5e%2B2xkj3SVhWUBnO
http://2.bp.blogspot.com/-xqLeppn0Ljg/T3CtpbHOpiI/AAAAAAAAA4Y/qtSl4YKOP34/s1600/persistent.JPG
https://planner.zoho.com/public/umYocnKNsn3FeKtB5e%2B2xnTSQcOn7WCf
p.s. Iframe Injection we can see in the Bugtracker Zoho (change status).
http://2.bp.blogspot.com/-ui927W7TCcE/T3BjV8cgG3I/AAAAAAAAA4M/0wq-pZCAGAc/s1600/zoho-status.JPG