Title: Multiple Vulnerabilities in PHPX

By: Manuel López ( manegts@hotmail.com ) FROM #IST libres.irc-hispano.org,
#IST Efnet.

Url: http://www.phpx.org

Description:
PHPX is a web portal system, blog, Content Management System (CMS),
forums, and more. PHPX is designed to allow everyone to be able to have
feature rich, interactive websites even if you do not know a bit of
programming.

Affected Versions:
The vulnerabilities were found in version 3.2.3 of PHPX, earlier versions
could be affected by these issues.

Severity: High

Vulnerabilities:

- Cross Site Scripting:

A vulnerability exists in main.inc.php, help.inc.php, that allows
arbitrary code execution on the client-side browser.

 main.inc.php?keywords='><script>alert(document.cookie)</script>
 help.inc.php?body='><script>alert(document.cookie)</script>

- HTML/Code Injection Flaw:

In Personal Messages and Forum the injection of malicious code is possible
in the subject field directly.
An attacker can submit specially crafted text so that when a target user
views certain pages on the service, arbitrary scripting code will be
executed by the target user's browser, allowing the attacker to modify
user profiles, post in forums, stolen cookies...

- Cookie Account Hijacking Vulnerability:

The cookie contains a PXL variable, which PHPX uses to determine which
user to authenticate. It´s possible to edit the PXL in the cookie and
change it by target userID to gain access to their account.
This issue can be exploited to gain an administrative account,
compromising completely the service.

Solution: Vendor contacted and release version 3.2.4.
http://phpx.org
Upgrade to version 3.2.4

---- Credits ----
Manuel López ( manegts@hotmail.com ) #IST
Special Thank´s: -- Aklis --

Kein, Skool, TheChakal, vientoS, |RDR|, NSR500, ^SargE^, Logicman, kour,
Archville, hypen, daiamon, M_I_R.. and all the #IST staff.

Excuse me for speaking English so badly.