Advisory: Allembru Ad Manager 3.0.2 Persistent XSS Vulnerability
Version:3.0.2
Vendor URL: http://www.allembru.com/
Demo Link:http://www.allembru.com/wp-content/demos/ad-manager-v3/
Author: Viknesvaran Sittaramane
Category: Webapp  
Twiiter: https://twitter.com/csvsn     
 
~.~.~.~.~.~.~.~.~.~.~.
Product Description
~.~.~.~.~.~.~.~.~.~.~.
 
Ad Manager is a free and user friendly PHP language script that helps you manage, display, and track clicks to your affiliate marketing and advertising campaigns banner ads. With Ad Manager you can build multiple advertising campaigns of various ad sizes and display them anywhere on your web site.
 
~.~.~.~.~.~.~.~.~.~.~.
Vulnerability Description
~.~.~.~.~.~.~.~.~.~.~.
 
Ad Manager by Allembru suffers from Persistent Cross site Vulnerability

~.~.~.~.~.~.
PoC-Exploit
~.~.~.~.~.~.
 
Step1 : Login using the required credentials

Step2 : Create a New Campaign 

Step3 : Insert the malicious script on field "Campaign name" and click submit.

Step4 : Persistent Cross site script is Confirmed
 
Parameter used : '"--><script>alert(0x000872)</script>

~.~.~.~.~.~.~.~.~.~.
Disclosure Timeline
~.~.~.~.~.~.~.~.~.~.

14th January 2013 -> Vendor Notified