#Title : TheHostingTool 1.2.x Multiple Cross Site Scripting #Author : DevilScreaM #Date : 7 Desember 2013 #Category : Web Applications #Vendor : http://thehostingtool.com/ #Version : 1.2.x #Type : PHP #Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber #Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded | #Tested : Mozila, Chrome, Opera -> Windows & Linux #Vulnerabillity : Cross Site Scripting POC & Exploit XSS 1 http://127.0.0.1/admin/?page=servers&sub=add At Column "Name" input your XSS View Your XSS at http://127.0.0.1/admin/?page=servers&sub=view http://127.0.0.1/admin/?page=servers&sub=test XSS 2 http://127.0.0.1/admin/?page=staff&sub=add At Column "Username" input your XSS View Your XSS At http://127.0.0.1/admin/?page=staff&sub=edit XSS 3 1. Create Category at http://127.0.0.1/admin/?page=kb&sub=cat 2. After Create Category, Create Article At http://127.0.0.1/admin/?page=kb&sub=art 3. At Column "Name" or "Article Name" input your XSS Example 4. View Your XSS at http://127.0.0.1/support/