Reporter Vadodil Joel Varghese
#Affected Vendor: https://www.php-fusion.co.uk/home.php
#Type of vulnerability: Persistent XSS + Clickjacking
#Tested on: Windows 8.1
#Product: PHP Fusion
#1 Cross Site Scripting
#Description: PHP Fusion is vulnerable to stored cross site scriting
vulnerability as the parameter "page_content" is vulnerable which will lead
to its compromise.
#Proof of Concept (PoC):
#2 UI redress attack
#Tested Link: http://localhost/PHPfusion/files/viewpage.php?page_id=5
#Description: PHP Fusion is vulnerable to UI redress attack as multiple
transparent or opaque layers can be used to trick a user into clicking on a
button or link on another page when they were intending to click on the the
top level page.
#Proof of Concept (PoC): <iframe src="
http://localhost/PHPfusion/files/viewpage.php?page_id=5" sanboxed width=900
height=900> Please check me out !!!! </iframe>