MTP Poll 1.0 Multiple Remote Script Insertion Vulnerabilities

2013-02-25T00:00:00
ID ZSL-2013-5132
Type zeroscience
Reporter Gjoko Krstic
Modified 2013-02-25T00:00:00

Description

Title: MTP Poll 1.0 Multiple Remote Script Insertion Vulnerabilities
Advisory ID: ZSL-2013-5132
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 25.02.2013

Summary

More than poll is a polling system with a powerful administration tool. It features: multiple pools, templates, unlimited options, IP Logging, cookie support, and more.

Description

MTP Poll script suffers from multiple stored cross-site scripting vulnerabilities. The issues are triggered when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Vendor

MTP Scripts - <http://www.morephp.net>

Affected Version

1.0

Tested On

Linux, Apache2

Vendor Status

[17.02.2013] Vulnerability discovered.
[19.02.2013] Contact with the vendor.
[24.02.2013] No response from the vendor.
[25.02.2013] Public security advisory released.

PoC

mtppoll_xss.html

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://packetstormsecurity.com/files/120533>
[2] <http://www.securityfocus.com/bid/58150>
[3] <http://cxsecurity.com/issue/WLB-2013020191>
[4] <http://www.exploit-db.com/exploits/24546/>
[5] <http://xforce.iss.net/xforce/xfdb/82382>
[6] <http://www.osvdb.org/show/osvdb/90636>
[7] <http://www.osvdb.org/show/osvdb/90637>
[8] <http://www.osvdb.org/show/osvdb/90641>

Changelog

[25.02.2013] - Initial release
[26.02.2013] - Added reference [1], [2], [3] and [4]
[27.02.2013] - Added reference [5]
[28.02.2013] - Added reference [6], [7] and [8]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;