__fuzion___    ____     
       ______/   \__//   \__/____\    
     _/   \_/  :           //____\\   
    /|      :  :  ..      /        \  
   | |     ::     ::      \        /  
   | |     :|     ||     \ \______/   
   | |     ||     ||      |\  /  |    
    \|     ||     ||      |   / | \   
     |     ||     ||      |  / /_\ \  
     | ___ || ___ ||      | /  /    \ 
      \_-_/  \_-_/ | ____ |/__/      \
                   _\_--_/    \      /
                  /____             / 
                 /     \           /  
                 \______\_________/   


Product:
efront e-learning LMS 3.1.2
http://www.efrontlearning.net/

Vulnerable:
http://[site]/index.php?message=[xss]
http://[site]/send_file.php?message=[xss]

Extra:
send_file.php does not require any privledges to upload. Note that exe, php, and php3 filetypes are denied by default.
Uploaded files are stored in http://[site]/content/lessons/Students/

Greetings to:
d3hydr8, whoami, beenu, kasi, MosDef, etc
Everyone at darkc0de.com & rootmybox.org