iBrowser Plugin 1.4.1 Cross Site Scripting

2011.09.20
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

iBrowser Plugin v1.4.1 (dir) Remote Cross-Site Scripting Vulnerability Vendor: net4visions.com Product web page: http://www.net4visions.com Affected version: <= 1.4.1 Build 10182009 Summary: iBrowser is an image browser plugin for WYSIWYG editors like tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor developed by net4visions. It allows image browsing, resizing on upload, directory management and more with the integration of the phpThumb image library. Desc: iBrowser suffers from a XSS vulnerability when parsing user input to the 'dir' parameter via GET method in 'random.php' and 'phpThumb.demo.random.php'. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session. Tested on: Microsoft Windows XP Professional SP3 (EN) Apache 2.2.14 (Win32) PHP 5.3.1 MySQL 5.1.41 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic liquidworm gmail com Advisory ID: ZSL-2011-5044 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5044.php 15.09.2011 -- http://SOME_CMS/jscripts/tiny_mce/plugins/ibrowser/scripts/random.php?dir=<script>alert('zsl')</script> http://SOME_CMS/jscripts/tiny_mce/plugins/ibrowser/scripts/phpThumb/demo/phpThumb.demo.random.php?dir=<script>alert('zsl')</script>

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5044.php


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top