# Exploit Title: DomainTrader Domain Parking and Auction Script Multiple 0day Vulnerabilities # Google Dork: Find yourself xD # Date: 26/8/2014 # Exploit Author: Haider Mahmood | @HaiderMQ # Vendor Homepage: http://www.smartscriptsolutions.com/domain-trader/ # Version: Tested on Latest Version 2.5.3 Add new administrator CSRF: Add new user CSRF:

Username:
Password:
Confirm Password:
First Name:
Last Name:
Email Address:
Telephone:
Street Address:
City:
County/State:
Postcode/Zipcode:
Country:
Notify me by email when I receive a new message.
Notify me by email when I receive a new offer.
Notify me when an offer I made is accepted.
Notify me when an offer I made is cancelled
Notify me by email when a counter offer is made on a domain I own or am bidding on.
Notify me by email when a domain is pushed.
Notify me by email when a domain sale is complete.

XSS: Add new Administrator values are not properly sanitized, neither on inserting into the database or selecting from the database causing Persistent XSS