iBrowser Plugin 1.4.1 Cross Site Scripting

`  
iBrowser Plugin v1.4.1 (dir) Remote Cross-Site Scripting Vulnerability  
  
  
Vendor: net4visions.com  
Product web page: http://www.net4visions.com  
Affected version: <= 1.4.1 Build 10182009  
  
Summary: iBrowser is an image browser plugin for WYSIWYG editors like  
tinyMCE, SPAW, htmlAREA, Xinha and FCKeditor developed by net4visions.  
It allows image browsing, resizing on upload, directory management and  
more with the integration of the phpThumb image library.  
  
Desc: iBrowser suffers from a XSS vulnerability when parsing user input  
to the 'dir' parameter via GET method in 'random.php' and 'phpThumb.demo.random.php'.  
Attackers can exploit this weakness to execute arbitrary HTML and script  
code in a user's browser session.  
  
  
Tested on: Microsoft Windows XP Professional SP3 (EN)  
Apache 2.2.14 (Win32)  
PHP 5.3.1  
MySQL 5.1.41  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
liquidworm gmail com  
  
  
Advisory ID: ZSL-2011-5044  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5044.php  
  
  
15.09.2011  
  
--  
  
http://SOME_CMS/jscripts/tiny_mce/plugins/ibrowser/scripts/random.php?dir=<script>alert('zsl')</script>  
http://SOME_CMS/jscripts/tiny_mce/plugins/ibrowser/scripts/phpThumb/demo/phpThumb.demo.random.php?dir=<script>alert('zsl')</script>  
  
`