← Advisories

Pixelpost 1.7.3 Multiple Persistent Cross-Site Scripting Vulnerabilities

Medium

Advisory ID

ZSL-2011-4991

Release Date

11 February 2011

Vendor

Pixelpost.org - http://www.pixelpost.org

Affected Version

1.7.3

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41

Summary

Pixelpost is an open-source, standards-compliant, multi-lingual, fully extensible photoblog application for the web. Anyone who has web-space that meets the requirements can download and use Pixelpost for free!

Description

Pixelpost is vulnerable to multiple cross-site scripting vulnerabilities, stored and non-persistent (reflected). Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept

pixelpost_xss.txtTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://packetstormsecurity.org/files/98427

[2]http://securityreason.com/wlb_show/WLB-2011020048

[3]http://www.securityfocus.com/bid/46348

Changelog

11.02.2011Initial release

12.02.2011Added reference [1] and [2]

14.02.2011Added reference [3]