[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : FlatPress 0.909.1 Stored XSS Vulnerability
# Published : 2010-04-03
# Author : ItSecTeam
# Previous Title : Advanced Management For Services Sites Remote Add Admin Exploit
# Next Title : Edimax AR-7084GA Router CSRF + Persistent XSS Exploit
##############################################################################
#Title: FlatPress 0.909.1 Stored XSS #
#Vendor: http://www.flatpress.org #
#Dork: "powered by FlatPress" #
##############################################################################
#AUTHOR: ITSecTeam #
#Email: Bug@ITSecTeam.com #
#Website: http://www.itsecteam.com #
#Forum : http://forum.ITSecTeam.com #
#Original Advisory: www.ITSecTeam.com/en/vulnerabilities/vulnerability32.htm #
#Thanks: r3dm0v3, Pejvak, am!rkh@n & everyone in the world :D #
##############################################################################
#DESCRIPTION (by vendor):#####################################################
FlatPress is an open-source standard-compliant multi-lingual extensible
blogging engine which does not require a DataBase Management System to work.
#BUG:#########################################################################
file fp-plugins/lastcomments/plugin.lastcomments.php:
52: $content .=
53: "<li>
54: <blockquote class="comment-quote" cite="comments.php?entry={$arr['entry']}#{$arr['id']}">
55: {$arr['content']} //<-----vulnerable line!
56: <p><a href="".get_comments_link($arr['entry']).
57: "#{$arr['id']}">{$arr['name']} - {$entry['subject']}</a></p>
58: </blockquote></li>n";
Unfiltered comment is used to create last comments block!
#EXPLOIT:####################################################################
goto comments and post any script as comment content!