Pixelpost 1.7.3 Multiple Persistent Cross-Site Scripting Vulnerabilities
Title: Pixelpost 1.7.3 Multiple Persistent Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2011-4991
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 11.02.2011
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
[2] http://securityreason.com/wlb_show/WLB-2011020048
[3] http://www.securityfocus.com/bid/46348
[12.02.2011] - Added reference [1] and [2]
[14.02.2011] - Added reference [3]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2011-4991
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 11.02.2011
Summary
Pixelpost is an open-source, standards-compliant, multi-lingual, fully extensible photoblog application for the web. Anyone who has web-space that meets the requirements can download and use Pixelpost for free!Description
Pixelpost is vulnerable to multiple cross-site scripting vulnerabilities, stored and non-persistent (reflected). Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.Vendor
Pixelpost.org - http://www.pixelpost.orgAffected Version
1.7.3Tested On
Microsoft Windows XP Professional SP3 (EN)Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
N/APoC
pixelpost_xss.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://packetstormsecurity.org/files/98427[2] http://securityreason.com/wlb_show/WLB-2011020048
[3] http://www.securityfocus.com/bid/46348
Changelog
[11.02.2011] - Initial release[12.02.2011] - Added reference [1] and [2]
[14.02.2011] - Added reference [3]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk