exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Jun 12, 2006
Authored by Luny

fx-APP version is susceptible to cross site scripting attacks.

tags | exploit, xss
SHA-256 | 72ed807e2f5df0e7f99d2e6b6b5ef8e4802fe76ba3e54a4cebefe3f58df9bd0f


Change Mirror Download
fx-APP Version


Effected files:
search input box
input boxes on your profile
adding a menu item


I noticed there was already several BID's on the a script WebAPP:


However, none on these were on a recently new cgi script called fx-APP, which looks similar to webAPP and as their

homepage says:

"fx-APP is A Practical Perl content management system and portal written in Perl/CGI. fx-APP is up to par with Web standards so that it is more useable and multi-browser friendly. Includes mods, plugins/addons, etc. fx-APP utilises a flat file, so SQL database is not necessary. Easy to use and setup in a matter of minutes. fx-APP is Open source, licensed under GNU/GPL and free to download and use."

so I decided to submit with what I could find.


fx-APP has a module called Tools, now the url of this module in the browser bar is:

Upon testing that I was able to find you can visit any page on any offsite domain, much like using a content wrapper. In a way this could be harmful, because if a malicious user wanted to load up ascript on another site, he could, and he would still be on the fx-APP site because the page loads in an iframe. Poc:


XSS Vulnerabilities:

When inputting the [iframe] tag in the search box I noticed its converted to [yframe] and javascript is converted to javascrypt, so one way of bypassing this is to use thedecimal value of javascript. For PoC put this in the search box:

<IMG SRC=&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116:alert('XSS')>


Profile input box XSS vulnerabilities:

Data in the profile boxes such as url, website, comment, signature etc are not properally filtered. This could lead

toauser creating an XSS attack. One way tobypass these filters, much like the way above, we convert the word

javascript into its decimal equivlent and addafew closing and opening tags:

For PoC try putting the following in the url, website, comment or signature box:

'>'><IMG SRC=&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116:alert('XSS')><'<'

Now if you'd like to see a XSS example on the same screen as editing your profile just put in:

<""><""><IMG SRC=&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116:alert('XSS')><""><"">

and when you hit edit profile, you will notice the popup on that page again as well.


Adding a menu item XSS vulnerability:

Userinput isn't correctly filtered here either, whena user logs in, he can go to "Edit My Menu", and then "Add Menu Item", in thes einput boxes auser can put:

<IMG SRC=&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116:alert('XSS')>

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By