FlatPress version 0.909.1 suffers from a stored cross site scripting vulnerability.
449f9de471e6ed177a9a37d9d4b48ed3219efebdaeb86c8413a4e2cb65acb8ef##############################################################################
#Title: FlatPress 0.909.1 Stored XSS #
#Vendor: http://www.flatpress.org #
#Dork: "powered by FlatPress" #
##############################################################################
#AUTHOR: ITSecTeam #
#Email: Bug@ITSecTeam.com #
#Website: http://www.itsecteam.com #
#Forum : http://forum.ITSecTeam.com #
#Original Advisory: www.ITSecTeam.com/en/vulnerabilities/vulnerability32.htm #
#Thanks: r3dm0v3, Pejvak, am!rkh@n & everyone in the world :D #
##############################################################################
#DESCRIPTION (by vendor):#####################################################
FlatPress is an open-source standard-compliant multi-lingual extensible
blogging engine which does not require a DataBase Management System to work.
#BUG:#########################################################################
file fp-plugins/lastcomments/plugin.lastcomments.php:
52: $content .=
53: "<li>
54: <blockquote class=\"comment-quote\" cite=\"comments.php?entry={$arr['entry']}#{$arr['id']}\">
55: {$arr['content']} //<-----vulnerable line!
56: <p><a href=\"".get_comments_link($arr['entry']).
57: "#{$arr['id']}\">{$arr['name']} - {$entry['subject']}</a></p>
58: </blockquote></li>\n";
Unfiltered comment is used to create last comments block!
#EXPLOIT:####################################################################
goto comments and post any script as comment content!
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed