-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CNA primary MITRE Corporation ( cve-assign [ \\**NOSPAM\\ ] mitre \\NOSPAM\\ org ) Software Vendors http://moxi9.com/phpfox Product: PhpFox Version: ALL Research Wesley Henrique Leite ( wesleyhenrique [\\NOSPAM**] gmail \\NOSPAM// com ) [+] INFORMATION Vendor Notified : 2014-10-22 Vendor Homepage : http://moxi9.com/phpfox Response Vendor: fixed 2014-10-23 (to v4 Beta) [+] DESCRIPTION The system stores all urls accessed in a database table, below information in the same 'phpfox_log_session' [phpfox]> desc phpfox_log_session; +---------------+----------------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +---------------+----------------------+------+-----+---------+-------+ | session_hash | char(32) | NO | MUL | NULL | | | id_hash | char(32) | NO | | NULL | | | captcha_hash | char(32) | YES | MUL | NULL | | | user_id | int(10) unsigned | NO | MUL | NULL | | | last_activity | int(10) unsigned | NO | MUL | NULL | | | location | varchar(255) | YES | | NULL | | | is_forum | tinyint(1) | NO | | NULL | | | forum_id | smallint(4) unsigned | NO | | NULL | | | im_status | tinyint(1) | NO | | 0 | | | im_hide | tinyint(1) | NO | | 0 | | | ip_address | varchar(15) | NO | | NULL | | | user_agent | varchar(100) | NO | | NULL | | +---------------+----------------------+------+-----+---------+-------+ the column that can be manipulated is: -> user_agent (100) all acess store in the system, such as bots and users wandering around the web site, can be seen in: AdminCP TOOLS > Online > Guests/Boots Output | IP ADDRESS | User-Agent | ... knowing this, the following code was created to inject a script into the AdminCP with User-Agent. $ curl -A "" \ http://www.meusite.com.br/ OR $ curl -A "" http://www.meusite.com.br/ when any user with administrative access in. 'AdminCP' TOOLS > Online > Guests/Boots we have the script running in the administrative area. [+] My Solution (line 1.8) 1.1 --- a/module/core/template/default/controller/admincp/online-guest.html.php Tue Oct 21 10:00:11 2014 -0200 1.2 +++ b/module/core/template/default/controller/admincp/online-guest.html.php Tue Oct 21 12:28:39 2014 -0200 1.3 @@ -25,7 +25,7 @@ 1.4 {foreach from=$aGuests key=iKey item=aGuest} 1.5