Icy Phoenix 1.3.0.53a Cross Site Scripting

2011-02-20T00:00:00
ID PACKETSTORM:98632
Type packetstorm
Reporter Saif El-Sherei
Modified 2011-02-20T00:00:00

Description

                                        
                                            `# Exploit Title: Icy Phoenix 1.3.0.53a http referer stored XSS  
# Google Dork: " Powered by Icy Phoenix <http://www.icyphoenix.com/>"  
# Date: 16-2-2011  
# Author: Saif El-Sherei  
# Software Link: http://www.icyphoenix.com/dload.php?action=file&file_id=171  
# Version: Icy Phoenix 1.3.0.53a  
# Tested on:FF 3.0.15, IE 8  
# Vendor Response:  
http://www.icyphoenix.com/viewtopic.php?f=1&p=51700#p51700  
  
Info:  
  
Icy Phoenix is a CMS based on phpBB (a fully scalable and highly  
customisable open-source Bulletin Board  
package PHP based) plus many modifications and code integrations which add  
flexibility to the whole package. The official home page for phpBB is  
www.phpbb.com. Icy Phoenix has some features originally developed for phpBB  
XS Project which has been founded by Bicet and then developed by both Bicet  
and Mighty Gorgon. Icy Phoenix has been created by Mighty Gorgon after he  
left the phpBB XS Project.  
  
Details:  
  
there is a stoed XSS Vulnerability using http referer HTTP header due to  
failure in "index.php" in the acp to sanitize the http referer header any  
visitor to the site can comprmise the admin account or any user with  
privileges to see the "http referrers" section under the "Info" section. an  
attacker has to use an intrcepting proxy or manual server requests to add  
the " HTTP referer header" containing the POC to the server request.  
  
POC:  
  
<script>alert("XSS");</script>  
  
Regards,  
  
Saif El-Sherei  
  
OSCP  
`