# Exploit Title: Dijitals CMS XSS Vulnerabilities
# Date: 10.06.2010
# Author: Valentin
# Category: webapps/0day
# Version: latest version
# Tested on: 
# CVE :  
# Code : 


[:::::::::::::::::::::::::::::::::::::: 0x1 ::::::::::::::::::::::::::::::::::::::]
>> General Information 
Advisory/Exploit Title = Dijitals CMS XSS Vulnerabilities
Author = Valentin Hoebel
Contact = valentin@xenuser.org


[:::::::::::::::::::::::::::::::::::::: 0x2 ::::::::::::::::::::::::::::::::::::::]
>> Product information
Name = Dijitals CMS 
Vendor = Dijitals 
Vendor Website = http://www.dijitals.com/
Affected Version(s) = latest version

 
[:::::::::::::::::::::::::::::::::::::: 0x3 ::::::::::::::::::::::::::::::::::::::]
>> XSS
All input fields are vulnerable, e.g. search boxes and forms. The login box
of the admin panel is also exposed to XSS attacks.


[:::::::::::::::::::::::::::::::::::::: 0x4 ::::::::::::::::::::::::::::::::::::::]
>> Additional Information
Advisory/Exploit Published = 10.06.2010
Several filters try to avoid XSS, SQL injection and local + remote file inclusions.
The XSS filters can be tricked by e.g. using String.fromCharCode.


[:::::::::::::::::::::::::::::::::::::: 0x5 ::::::::::::::::::::::::::::::::::::::]
>> Misc
Greetz && Thanks = hack0wn, JosS


[:::::::::::::::::::::::::::::::::::::: EOF ::::::::::::::::::::::::::::::::::::::]