# Exploit Title: Icy Phoenix 1.3.0.53a http referer stored XSS
# Google Dork: " Powered by Icy Phoenix <http://www.icyphoenix.com/>"
# Date: 16-2-2011
# Author: Saif El-Sherei
# Software Link: http://www.icyphoenix.com/dload.php?action=file&file_id=171
# Version: Icy Phoenix 1.3.0.53a
# Tested on:FF 3.0.15, IE 8
# Vendor Response:
http://www.icyphoenix.com/viewtopic.php?f=1&p=51700#p51700

Info:

Icy Phoenix is a CMS based on phpBB (a fully scalable  and highly
customisable open-source Bulletin Board
package PHP based) plus many modifications and code integrations which add
flexibility to the whole package. The official home page for phpBB is
www.phpbb.com. Icy Phoenix has some features originally developed for phpBB
XS Project which has been founded by Bicet and then developed by both Bicet
and Mighty Gorgon. Icy Phoenix has been created by Mighty Gorgon after he
left the phpBB XS Project.

Details:

there is a stoed XSS Vulnerability using http referer HTTP header due to
failure in "index.php" in the acp to sanitize the http referer header any
visitor to the site can comprmise the admin account or any user with
privileges to see the "http referrers" section under the "Info" section. an
attacker has to use an intrcepting proxy or manual server requests to add
the " HTTP referer header" containing the POC to the server request.

POC:

<script>alert("XSS");</script>

Regards,

Saif El-Sherei

OSCP