Kod:
Name 	: Bigace 2.7.2   

Vendor 	: http://www.bigace.de/

Bug 	: XSS
  
Date 	: 18.06.2010
 
Tested 	: Ubuntu 10 LTS
 
Thanks	: 4 you
 
Details	:

There is a XSS vulnerability in login page.
http://localhost/cmz2/bigace2.7.2/public/index.php?cmd=application&id=-1_tauth_klogin_len

to see it, type in login and password: "><script>alert(xsshere)</script>
(its POST $UID and $PW value). If You use for example DataTamper You can set XSS for $language variable as well.
So there is an option to XSS by $UID, $PW and $language.


Its also possible to make XSS attack by search engine (DataTamper + $language = {xss}).

In admin panel we can do xss via GET:
http://localhost/cmz2/bigace2.7.2/public/index.php?cmd=admin&id=fileAdmin_tADMIN_len&data[id]=1&adminCharset="><script>alert(1)</script>&data[langid]=en&mode=rap

next:

http://localhost/cmz2/bigace2.7.2/public/index.php?cmd=admin&id=fileAdmin_tADMIN_len&data[id]="><script>alert(2)</script>&adminCharset=&data[langid]=en&mode=rap

XSS found also with $desingName, $description.
When setting new user, click to 'userdata'. Here you have 11 form field - all exploitable by XSS:
$mode, $data_id/firstname/lastname/homepage/phone/mobile/fax/company/street/city/citycode/country.

When creating new user $userName is vulnerable to XSS.

When we get to logging page (admin panel): variables $start, $amount, $namespace and $level.

Statistic page is the same... This tame $mode var is vulnerable.

Thats (maybe) all. ;)
Producent poinformowany.