AZ Photo Album Cross Site Scripting and Arbitrary File Upload Vulnerabilities

2012-05-20T00:00:00
ID EDB-ID:37283
Type exploitdb
Reporter Eyup CELIK
Modified 2012-05-20T00:00:00

Description

AZ Photo Album Cross Site Scripting and Arbitrary File Upload Vulnerabilities. Webapps exploit for php platform

                                        
                                            source: http://www.securityfocus.com/bid/53641/info

The AZ Photo Album is prone to a cross-site-scripting and an arbitrary-file-upload vulnerabilities because it fails to properly sanitize user-supplied input.

Attackers can exploit these issues to steal cookie information, execute arbitrary client side script code in the context of browser, upload and execute arbitrary files in the context of the webserver, and launch other attacks. 

http://www.example.com/demo/php-photo-album-script/index.php/%F6%22%20onmouseover=document.write%28%22google.com%22%29%20

http://www.example.com/demo/php-photo-album-script/index.php/?gazpart=suggest