ID CVE-2005-0777 Type cve Reporter cve@mitre.org Modified 2017-07-11T01:32:00
Description
Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP 5.0 RC3 allow remote attackers to inject arbitrary web script or HTML via (1) the check_tags function or (2) the editbio field in the user profile.
{"osvdb": [{"lastseen": "2017-04-28T13:20:10", "bulletinFamily": "software", "description": "## Vulnerability Description\nPhotoPost Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate input in the 'Biography' field upon submission to the 'profile.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 5.01 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPhotoPost Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate input in the 'Biography' field upon submission to the 'profile.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## References:\nVendor URL: http://www.photopost.com/\n[Secunia Advisory ID:14576](https://secuniaresearch.flexerasoftware.com/advisories/14576/)\n[Related OSVDB ID: 14679](https://vulners.com/osvdb/OSVDB:14679)\n[Related OSVDB ID: 14680](https://vulners.com/osvdb/OSVDB:14680)\n[Related OSVDB ID: 14681](https://vulners.com/osvdb/OSVDB:14681)\n[Related OSVDB ID: 14683](https://vulners.com/osvdb/OSVDB:14683)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-03/0200.html\nISS X-Force ID: 19678\n[CVE-2005-0777](https://vulners.com/cve/CVE-2005-0777)\nBugtraq ID: 12779\n", "modified": "2005-03-11T05:40:19", "published": "2005-03-11T05:40:19", "href": "https://vulners.com/osvdb/OSVDB:14682", "id": "OSVDB:14682", "type": "osvdb", "title": "PhotoPost Pro profile.php Biography Field XSS", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2019-02-21T01:08:26", "bulletinFamily": "scanner", "description": "According to its banner, the version of PhotoPost PHP installed on the remote host has several vulnerabilities:\n\n - An Access Validation Vulnerability.\n The 'adm-photo.php' script fails to verify authentication credentials, which allows an attacker to change the properties of thumbnails of uploaded images.\n\n - A SQL Injection Vulnerability.\n The 'uid' parameter in the 'member.php' script is not properly sanitized before use in SQL queries. An attacker can leverage this flaw to disclose or modify sensitive information or perhaps even launch attacks against the underlying database implementation.\n\n - A Cross-site Scripting (XSS) Vulnerability.\n The 'editbio' parameter of the user profile form is not sanitized properly, allowing an attacker to inject arbitrary script or HTML in a user's browser in the context of the affected website, resulting in theft of authentication data or other such attacks.", "modified": "2018-11-15T00:00:00", "id": "PHOTOPOST_MULTIPLE_VULNS.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=17314", "published": "2005-03-11T00:00:00", "title": "PhotoPost PHP < 5.0.1 Multiple Remote Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(17314);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n\n script_cve_id(\"CVE-2005-0774\", \"CVE-2005-0775\", \"CVE-2005-0776\", \"CVE-2005-0777\", \"CVE-2005-0778\", \"CVE-2005-1629\");\n script_bugtraq_id(12779, 13620);\n\n script_name(english:\"PhotoPost PHP < 5.0.1 Multiple Remote Vulnerabilities\");\n script_summary(english:\"Checks for multiple remote vulnerabilities in PhotoPost PHP 5.0 RC3 and older\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nseveral vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of PhotoPost PHP installed on the\nremote host has several vulnerabilities:\n\n - An Access Validation Vulnerability.\n The 'adm-photo.php' script fails to verify authentication\n credentials, which allows an attacker to change the \n properties of thumbnails of uploaded images.\n\n - A SQL Injection Vulnerability.\n The 'uid' parameter in the 'member.php' script is not \n properly sanitized before use in SQL queries. An\n attacker can leverage this flaw to disclose or modify\n sensitive information or perhaps even launch attacks\n against the underlying database implementation.\n\n - A Cross-site Scripting (XSS) Vulnerability.\n The 'editbio' parameter of the user profile form is not sanitized\n properly, allowing an attacker to inject arbitrary script or\n HTML in a user's browser in the context of the affected website, \n resulting in theft of authentication data or other such attacks.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2005/Mar/213\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2005/May/311\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PhotoPost PHP version 5.01 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/03/11\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/03/11\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:photopost:photopost_php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:photopost:photopost_php_pro\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"photopost_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/photopost\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/photopost\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n\n if (ver =~ \"^[0-4].*|5\\.0[^0-9]?|5\\.0rc[123]$\")\n {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
