PHP JackKnife XSS vuln.

2005-12-13T00:00:00
ID SECURITYVULNS:DOC:10594
Type securityvulns
Reporter Securityvulns
Modified 2005-12-13T00:00:00

Description

PHP JackKnife XSS vuln.

Vuln. dicovered by : r0t Date: 13 dec. 2005 orginal advisory:http://pridels.blogspot.com/2005/12/php-jackknife-xss-vuln.html vendor:http://www.phpjk.com/ affected version: 2.21 and prior

Product Description:

PHP JackKnife is an easily set-up, fast, feature-rich photo gallery script with MySQL or MSSQL databases. PHPJK supports template and user management, private galleries, automatic thumbnail creation, film strip, e-card feature for easy customization to match the rest of a site. PHPJK adds multiple uploads, updated securities, many new features including support for document types (ie tiff, psd, swf, doc, mp3, etc)! Additional features: auto-thumbailing, image upload, rating, searching, unlimited categories and subcategories, unlimited galleries and images, private & locked galleries, bulk import via ftp, dynamic products display, alternate images, eCards, image referencing and much more! It also includes Aricaur.com integration so you can sell prints, t-shirts and gift items with your images on them! PHP & MSSQL/MySQL & Win/*nix

Vuln. Description:

PHP JackKnife contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "sKeywords" parameter in " DisplayResults.php" isn't properly sanitised before being returned to the user. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/Search/DisplayResults.php?DOMAIN_Link=& iSearchID=292&sKeywords=%22%3E%3Cscri pt%3Ealert%28%27r0t%27%29%3C%2Fscript%3E

Solution: Edit the source code to ensure that input is properly sanitised.