FlatPress 0.909.1 Stored XSS Vulnerability :

Date : 2010-04-03 Author : ItSecTeam
##############################################################################
#Title:             FlatPress 0.909.1 Stored XSS                             #
#Vendor:            http://www.flatpress.org                                 #
#Dork:              "powered by FlatPress"                                   #
##############################################################################
#AUTHOR:            ITSecTeam                                                #
#Email:             [email protected]                                        #
#Website:           http://www.itsecteam.com                                 #
#Forum :            http://forum.ITSecTeam.com                               #
#Original Advisory: www.ITSecTeam.com/en/vulnerabilities/vulnerability32.htm #
#Thanks:            r3dm0v3, Pejvak, am!rkh@n & everyone in the world :D     #
##############################################################################

#DESCRIPTION (by vendor):#####################################################
FlatPress is an open-source standard-compliant multi-lingual extensible 
blogging engine which does not require a DataBase Management System to work.


#BUG:#########################################################################
file fp-plugins/lastcomments/plugin.lastcomments.php:
 52:			$content .=	
 53:			"<li>
 54:			<blockquote class="comment-quote" cite="comments.php?entry={$arr['entry']}#{$arr['id']}">
 55:			{$arr['content']} //<-----vulnerable line!
 56:			<p><a href="".get_comments_link($arr['entry']).
 57:			"#{$arr['id']}">{$arr['name']} - {$entry['subject']}</a></p>
 58:			</blockquote></li>
";

Unfiltered comment is used to create last comments block!


#EXPLOIT:####################################################################
goto comments and post any script as comment content!

C1

 

C2

 

C3