+--------------------------------------------------------------------------------------------------------------------------------+ # Exploit Title : Wolfcms <= 0.75 new Persistent XSS # Date : 26-03-2012 # Author : Ivano Binetti (http://www.ivanobinetti.com) # Software link : http://wolfcms.googlecode.com/files/wolfcms_075.zip # Vendor site : http://www.wolfcms.org/ # Version : 0.75 and lower # Tested on : Debian Squeeze (6.0) # Original Advisory: http://www.webapp-security.com/2012/03/wolf-cms-new-persistent-xss/ +--------------------------------------------------------------------------------------------------------------------------------+ Summary 1)Introduction 2)Vulnerabilities Description 3)Exploit +--------------------------------------------------------------------------------------------------------------------------------+ 1)Introduction Wolfcms is a "ligh-weight, fast, simple and powerful" cms. 2)Vulnerabilities Description Wolfcms 0.75 (and lower) is prone to a persistent XSS vulnerability due to an improper input sanitization of "setting[admin_email]" parameter, passed to server side logic (path: "wolfcms/admin/setting") via http POST method. Exploiting this vulnerability an authenticated admin could insert arbitrary code in "Site email" field which will be executed when another admin clicks on "Administrator" tab. 3)Exploit Insert the following code in "Site email" field: email@email.com"> +--------------------------------------------------------------------------------------------------------------------------------+