Multiple Vulnerabilities in Jojo CMS

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Jojo CMS, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.

1) SQL Injection in Jojo CMS: CVE-2013-3081
The vulnerability is caused by insufficient filtration of user-supplied input passed to the "X-Forwarded-For" HTTP header in "/articles/test/" URI. A remote unauthenticated attacker can send a specially crafted HTTP request and execute arbitrary SQL commands in application’s database.
The PoC code below will create a file "/var/www/file.php" containing content of "comment" table (if web and database server configurations allow):
POST /articles/test/ HTTP/1.1
X-Forwarded-For: ' OR 1=1 INTO OUTFILE '/var/www/file.php' --
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
name=name&email=user%40mail.com&website=&anchortext=&comment=comment&s ubmit=Post+Comment
The above-mentioned PoC code can be used to execute arbitrary PHP code on the vulnerable system if the attacker creates a comment containing PHP code.
Successful exploitation of the vulnerability requires that "jojo comments" plugin is enabled (disabled by default).

2) Cross-Site Scripting (XSS) in Jojo CMS: CVE-2013-3082
The vulnerability exists due to insufficient filtration of user-supplied data passed to "search" HTTP POST parameter in "/forgot-password/" URI. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation example below uses the "alert()" JavaScript function to display user's cookies:
<form action="http://jojo/forgot-password/" method="post">
<input type="hidden" name="search" value='<script>alert(document.cookike);</script>'>
<input type="submit" id="btn">
</form>