Wednesday, November 28, 2012

Phoca Guestbook XSS

Found XSS and possibly a permanent and blind XSS.
Reported to the right person and they came out with an updated version to fix that issue.

Get the updated version here

Step to produce the bug :
Complete the message/comment box. Each forms are vulnerable to XSS.

XSS payload is successfully stored. If the comment/message need a validation from admin, we can use direct payload to get the admin cookies which this attack known as Blind XSS.

Date reported : 25/10/2012
Date fixed       : 21/11/2012
Date published: 29/11/2012