Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Cross-site Scripting Vulnerability in ImageFolio Image Gallery Software

Cross-site Scripting Vulnerability in ImageFolio Image Gallery Software

by Nikola Strahija on November 28th, 2002 [Alert URL] http://www.securitytracker.com/alerts/2002/Nov/1005681.html


[Date]

November 27, 2002


[Title]

Cross-site Scripting Vulnerability in ImageFolio Image Gallery Software


[Vendor]

BizDesign


[Product]

ImageFolio


[URL]

http://www.imagefolio.com/


[Description]

An input validation vulnerability exists in ImageFolio version 3.0.1 and
prior versions. A remote user can conduct cross-site scripting attacks.

The flaw exists in various parameters of the 'nph-build.cgi' admin script
nd the 'imageFolio.cgi' script (and possibly others).

A demonstration exploit is provided:

/cgi-bin/imageFolio.cgi?direct=

/cgi-bin/if/admin/nph-build.cgi?step=

This vulnerability can be exploited to steal a user's or administrator's
authentication cookies.


[Vendor Notification]

Jun 9, 2002 - BizDesign (the vendor) was notified and responded that the pending
version 3.0 will contain a fix.
Aug 23, 2002 - Version 3.0 was released without a fix.
Sep 16, 2002 - Version 3.0.1 was released without a fix.
Nov 13, 2002 - Vendor was reminded and responded that the bug will be fixed in
version 3.1, to be released in the beginning of the week of November 18.
Nov 27, 2002 - At the time of this report, the fixed version had not been posted
to the vendor's web site.


[CVE]

CAN-2002-1334


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »