# Exploit Title: Multiple XSS (non/persistant) in BigAce 2.7.2
# Date: 18.06.2010
# Author: lem
# Software Link: http://www.bigace.de
# Version: 2.7.2
# Tested on: Ubuntu 10 LTS
# CVE : nope
# Code :

There is a XSS vulnerability in login page.
http://localhost/cmz2/bigace2.7.2/public/index.php?cmd=application&id=-1_tauth_klogin_len

to see it, type in login and password: ">
(its POST $UID and $PW value). If You use for example DataTamper You can set
XSS for $language variable as well.
So there is an option to XSS by $UID, $PW and $language.


Its also possible to make XSS attack by search engine (DataTamper +
$language = {xss}).

In admin panel we can do xss via GET:
http://localhost/cmz2/bigace2.7.2/public/index.php?cmd=admin&id=fileAdmin_tADMIN_len&data[id]=1&adminCharset=
">&data[langid]=en&mode=rap

next:

http://localhost/cmz2/bigace2.7.2/public/index.php?cmd=admin&id=fileAdmin_tADMIN_len&data[id]=
">&adminCharset=&data[langid]=en&mode=rap

XSS found also with $desingName, $description.
When setting new user, click to 'userdata'. Here you have 11 form field -
all exploitable by XSS:
$mode,
$data_id/firstname/lastname/homepage/phone/mobile/fax/company/street/city/citycode/country.

When creating new user $userName is vulnerable to XSS.

When we get to logging page (admin panel): variables $start, $amount,
$namespace and $level.

Statistic page is the same... This tame $mode var is vulnerable.

Thats (maybe) all. ;)
--
Best regards,
Jakub