#1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 #0 _ __ __ __ 1 #1 /' \ __ /'__`\ /\ \__ /'__`\ 0 #0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 #1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 #0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 #1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 #0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 #1 \ \____/ >> Exploit database separated by exploit 0 #0 \/___/ type (local, remote, DoS, etc.) 1 #1 1 #0 [+] Site : 1337day.com 0 #1 [+] Support e-mail : submit[at]1337day.com 1 #0 0 #1 ############################################# 1 #0 I'm Sid3^effects member from Inj3ct0r Team 1 #1 ############################################# 0 #0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 Application:JAK CONTENT MANAGEMENT SYSTEM PRO Persistent Cross-site Scripting Date:26/9/2011 Vendor URL:http://www.jakcms.com Google Dork:Powered by JAKCMS Author:Sid3^effects aKa HaRi Contact:shell_c99@yahoo.com #Big hugs : Th3 RDX,Sugar #special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,SeeMe,MaYur,MA1201,Sonic,gunslinger_,Sn!pEr.S!,cr1m1n4l ############################################################################################################### Desc: Our content managament system PRO is made for professional websites any kind. Content publishing, Forum, Blog, Events, Gallery, Tags, News, Newsletter, Search, Security and more - the PRO has it all. CMS PRO is the choice for people who are serious about creating thriving online ############################################################################################################### Vulnerability:Persistent Cross-site Scripting. Attackers can send crafted messages(PM) to other users and can be used to infect or steal information..For example by sending malicious codes using iframe. ############################################################################################################### Fix: http://www.jakcms.com/userfiles/1/security_fix_iframe_o_691878.zip ############################################################################################################### Disclosure timeline: 22/09/2011-Vulnerability discovered and reported to the vendor 22/09/2011-Vendor responded. 23/09/2011-Patch released. 23/09/2011-Public disclosure ###############################################################################################################