Praetorian503 Posted February 12, 2013 Report Share Posted February 12, 2013 IP.Gallery 4.2.x and 5.0.x Persistent XSS Vulnerability# Exploit Title: IP.Gallery 4.2.x and 5.0.x persistent XSS vulnerability# Date: 8/2/2013# Exploit Author: Mohamed Ramadan# Author HomePage: http://www.Attack-Secure.com# Author Twitter : https://twitter.com/Attack_Secure# Vendor Homepage: http://www.invisionpower.com/# Software Link: http://www.invisionpower.com/apps/gallery/# Version: IP.Gallery 4.2.x and 5.0.ximage title is vulnerable to persistent XSS vulnerability which allow anynormal member to hack any administrator account or any other member account.we contacted the vendor and reported this issue to them and they fixed itand released this patch:http://community.invisionpower.com/topic/379028-ipgallery-42x-and-50x-security-update/Here is a video demonstrating the attack in action :https://docs.google.com/file/d/0B_cpjifQmPbZMmxVcEdqU3A1aU0/edit?usp=sharingand here is another video demonstrating how to bypass httponly cookies :https://docs.google.com/file/d/0B_cpjifQmPbZemFsbFJDRnVkVTA/edit?usp=sharingMohamed Ramadan ( Attack-Secure.com )Source: IP.Gallery 4.2.x and 5.0.x Persistent XSS Vulnerability Quote Link to comment Share on other sites More sharing options...
cristianonow Posted February 13, 2013 Report Share Posted February 13, 2013 frate ce este asta? Quote Link to comment Share on other sites More sharing options...
