------------------------------------------------------------ - EXPL-A-2006-003 exploitlabs.com Retro Advisory 001 - ------------------------------------------------------------ - ASPListpics - RETRO-RELEASE DATE: =================== Nov 11, 2004 Duplicate Release: June 06, 2006 by: r0t http://pridels.blogspot.com/2006/06/asp-listpics-43-xss-vuln.html http://secunia.com/advisories/20517/ OVERVIEW ======== Listpics is a highly configurable ASP application that automatically generates fast thumbnail web indexes of images in a folder structure. AFFECTED PRODUCTS ================= ASPListpics 4.x http://www.iisworks.com DETAILS ======= 1. XSS ( persistant ) PROOF OF CONCEPT LINKS AND RETRO-POC ===================================== 1. XSS ( Cross Site Scripting ) There is persistant XSS inclusion in the "comments" feature of ASPListpics in the following: field "name" field "comment" By embedding various types of XSS into the comment section, we are able to render javascript in the users browser. below is a simple PoC ( Proof of Concept ) enter into the "comments" section malicious script. comment: ohnoouch and is rendered as: HTTP://[VUNERABLEHOST]/listpics/listpics.asp?a=rate&ID=[PICID]&Info=< SCRIPTING HERE >9000|0 CREDITS ======= r0t - http://pridels.blogspot.com/2006/06/asp-listpics-43-xss-vuln.html RETRO-CREDITS ============= This vulnerability was discovered and researched by Donnie Werner of exploitlabs. At the original time of discovery and retro-release date, the author was not aware of any other advisories or patches available. Donnie Werner Information Security Specialist wood@exploitlabs.com morning_wood@zone-h.org -- web: http://exploitlabs.com