Flatpress 0.909.1 – Persistent Cross-Site Scripting

• Exploit Database
• 10 阅读

• 作者： ITSecTeam
  日期： 2010-04-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/12034/

• ##############################################################################
  #Title: FlatPress 0.909.1 Stored XSS #
  #Vendor:http://www.flatpress.org #
  #Dork:"powered by FlatPress" #
  ##############################################################################
  #AUTHOR:ITSecTeam#
  #Email: Bug@ITSecTeam.com#
  #Website: http://www.itsecteam.com #
  #Forum :http://forum.ITSecTeam.com #
  #Original Advisory: www.ITSecTeam.com/en/vulnerabilities/vulnerability32.htm #
  #Thanks:r3dm0v3, Pejvak, am!rkh@n & everyone in the world :D #
  ##############################################################################
  
  #DESCRIPTION (by vendor):#####################################################
  FlatPress is an open-source standard-compliant multi-lingual extensible 
  blogging engine which does not require a DataBase Management System to work.
  
  
  #BUG:#########################################################################
  file fp-plugins/lastcomments/plugin.lastcomments.php:
   52:			$content .=	
   53:			"<li>
   54:			<blockquote class=\"comment-quote\" cite=\"comments.php?entry={$arr['entry']}#{$arr['id']}\">
   55:			{$arr['content']} //<-----vulnerable line!
   56:			<p><a href=\"".get_comments_link($arr['entry']).
   57:			"#{$arr['id']}\">{$arr['name']} - {$entry['subject']}</a></p>
   58:			</blockquote></li>\n";
  
  Unfiltered comment is used to create last comments block!
  
  
  #EXPLOIT:####################################################################
  goto comments and post any script as comment content!