Thanks to both seoincorporation & MagicSnow for finding the bugs. Both will be paid as soon as we fix these bugs. We already have MagicSnow's address. Requesting seoincorporation to PM his address too. Anyone else may report their further findings.
I send you my addy in a PM. The problem i found:
1.-No captcha in the "Create a New Support Ticket"
2.-Can inject code on "
http://www.100bit.co.in/settings.php > About me"
I make some test and dont find a vuln for xss
[usr@localhost ~]$ nmap -p80 --script http-stored-xss www.100bit.co.in
Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-04 11:18 CST
Nmap scan report for www.100bit.co.in (104.28.29.49)
Host is up (0.071s latency).
Other addresses for www.100bit.co.in (not scanned): 104.28.28.49
PORT STATE SERVICE
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
And about SQL injection im not sure.