InselPhoto v1.1 Persistent XSS Vulnerability

vendor:

InselPhoto

by:

Paul Hand aka rAWjAW

7.5

CVSS

HIGH

Persistent XSS

CWE

Product Name: InselPhoto

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: Yes

Related CWE: N/A

CPE: inselphoto

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

InselPhoto v1.1 Persistent XSS Vulnerability

For this Persistent XSS to work, a user must create a user account, create an album, upload a picture to the album, and put a malicious script as the description. When someone views the slideshow, the script will be executed.

Mitigation:

Input validation should be used to prevent malicious scripts from being executed.

Source

Exploit-DB raw data:

###########################################################
# Software: InselPhoto v1.1 Persistent XSS Vulnerability  #
# Discovered by: Paul Hand aka rAWjAW                     #
# Blog: http://rawjaw-security.blogspot.com               #
# E-mail: phand3754<at>gmail<dot>com                      #
# Shouts: rBg && eternal_security                         #
###########################################################

For this Persistent XSS to work you have to:
1. Create a user account
2. Create an album
3. Upload any picture to the photo album you created and put as the description something such as: <script>alert(document.cookie)</script>
4. Now have anyone view your slideshow!

# milw0rm.com [2009-02-16]