phpThumb() v1.7.11 (dir & title) Cross-Site Scripting Vulnerability

Title: phpThumb() v1.7.11 (dir & title) Cross-Site Scripting Vulnerability
Advisory ID: ZSL-2012-5088
Type: Remote
Impact: Cross-Site Scripting
Risk: (2/5)
Release Date: 16.05.2012
Summary
phpThumb() uses the GD library to create thumbnails from images (JPEG, PNG, GIF, BMP, etc) on the fly. The output size is configurable (can be larger or smaller than the source), and the source may be the entire image or only a portion of the original image.
Description
phpThumb is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the 'dir' and the 'title' parameter of the 'phpThumb.demo.random.php' and 'phpThumb.demo.showpic.php' scripts. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.
Vendor
SiliSoftware - http://www.silisoftware.com
Affected Version
1.7.11-201108081537
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
PHP 5.3.8
MySQL 5.5.20
Vendor Status
N/A
PoC
phpthumb_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://cxsecurity.com/issue/WLB-2012050118
[2] http://packetstormsecurity.org/files/112797
[3] http://www.securityfocus.com/bid/53572
[4] http://www.1337day.com/exploits/18286
[5] http://xforce.iss.net/xforce/xfdb/75709
[6] http://www.osvdb.org/show/osvdb/82295
[7] http://www.osvdb.org/show/osvdb/82296
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-2910
Changelog
[16.05.2012] - Initial release
[18.05.2012] - Added reference [2], [3] ana [4]
[20.05.2012] - Added reference [5]
[30.05.2012] - Added reference [6], [7] and [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk