HTB22964: XSS in SelectaPix Image Gallery

2011-05-03T00:00:00
ID SECURITYVULNS:DOC:26288
Type securityvulns
Reporter Securityvulns
Modified 2011-05-03T00:00:00

Description

Vulnerability ID: HTB22964 Reference: http://www.htbridge.ch/advisory/xss_in_selectapix_image_gallery.html Product: SelectaPix Image Gallery Vendor: http://www.outofthetrees.co.uk/ ( http://www.outofthetrees.co.uk/ ) Vulnerable Version: 1.4.1 Vendor Notification: 19 April 2011 Vulnerability Type: XSS (Cross Site Scripting) Risk level: Medium Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )

Vulnerability Details: User can execute arbitrary JavaScript code within the vulnerable application. The vulnerability exists due to failure in the "/admin/upload.php" script to properly sanitize user-supplied input in "uploadername" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. The following PoC is available:

<form action="http://[host]/admin/upload.php?albumID=1&parentID=0&request=single" method="post" name="main" id="main"> <input type="hidden" name="uploadername" value='"><script>alert(document.cookie);</script>'> <input type="submit" value="OK"> </form>