# Exploit Title: XWiki Cross Site Scripting
# Date: 4.02.2012
# Author: Sony
# Software Link: http://www.xwiki.org/
# Software Version: XWiki Enterprise 3.4
# Google Dorks: inurl:xwiki/bin/
# Web Browser : Mozilla Firefox
# Blog : http://st2tea.blogspot.com
# PoC:
http://st2tea.blogspot.com/2012/02/xwiki-cross-site-scripting.html
..................................................................

"Wikimania")

Well, we have xss in comments form in blogs.

http://www.xwiki.org/xwiki/bin/view/Blog/XWikiEnterprise14RC1Released

http://2.bp.blogspot.com/-HpmVc3wIh1c/Ty0tSh-IhZI/AAAAAAAAAY4/7aPfjXDmfxA/s1600/wikicom.JPG

http://1.bp.blogspot.com/-z6QWmskUCqQ/Ty0tXTWYeeI/AAAAAAAAAZE/kk0bg5ffWsI/s1600/wikicom2.JPG



And yes, in the profile..(TWiki,Foswiki..)

http://www.xwiki.org/xwiki/bin/XWiki/SonyStyles

http://3.bp.blogspot.com/-Af35Gs4ceRo/Ty0tmxqkwCI/AAAAAAAAAZQ/hfjtFeLMmHo/s1600/xwiki.JPG

In the old versions we can see cross site scripting in different places.

Video later i put in my blog.