- EXPL-A-2006-003 exploitlabs.com Retro Advisory 001 - - ASPListpics - RETRO-RELEASE DATE: =================== Nov 11, 2004 Duplicate Release: June 06, 2006 by: r0t http://pridels.blogspot.com/2006/06/asp-listpics-43-xss-vuln.html http://secunia.com/advisories/20517/ OVERVIEW ======== ASPListpics is a highly configurable ASP application that automatically generates fast thumbnail web indexes of images in a folder structure. AFFECTED PRODUCTS ================= ASPListpics 4.x http://www.iisworks.com DETAILS ======= 1. XSS ( persistant ) PROOF OF CONCEPT LINKS AND RETRO-POC ===================================== 1. XSS ( Cross Site Scripting ) There is persistant XSS inclusion in the "comments" feature of ASPListpics in the following: field "name" field "comment" By embedding various types of XSS into the comment section, we are able to render javascript in the users browser. below is a simple PoC ( Proof of Concept ) enter into the "comments" section malicious script. comment: ohnoouch and is rendered as: HTTP://[VUNERABLEHOST]/listpics/listpics.asp?a=rate&ID=[PICID]&Info=< SCRIPTING HERE >9000|0 CREDITS ======= r0t - http://pridels.blogspot.com/2006/06/asp-listpics-43-xss-vuln.html RETRO-CREDITS ============= This vulnerability was discovered and researched by Donnie Werner of exploitlabs. At the original time of discovery and retro-release date, the author was not aware of any other advisories or patches available. Retro-Advisories are released when either the same research is released by a 3rd party, old private research that is no longer active, or the product has been patched due to Vendor updates before a formal Exploitlabs advisory was released to the public. Donnie Werner wood@exploitlabs.com morning_wood@zone-h.org -- web: http://exploitlabs.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/