BID:22510

Qdig QWD Variable Cross-Site Scripting Vulnerability

Info

Qdig QWD Variable Cross-Site Scripting Vulnerability

Bugtraq ID:	22510
Class:	Input Validation Error
CVE:	CVE-2007-0876
Remote:	Yes
Local:	No
Published:	Feb 10 2007 12:00AM
Updated:	May 12 2015 07:34PM
Credit:	Andrea "bunker" Purificato is credited with discovering this vulnerability.
Vulnerable:	Qdig Qdig 1.2.9 .3 Qdig Qdig devel-20060624

Not Vulnerable:	Qdig Qdig 1.2.9 .4 Qdig Qdig devel-20070210

Discussion

Qdig QWD Variable Cross-Site Scripting Vulnerability

Qdig is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Exploit / POC

Qdig QWD Variable Cross-Site Scripting Vulnerability

To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.

Solution / Fix

Qdig QWD Variable Cross-Site Scripting Vulnerability

Solution:
The vendor has released fixes to address this issue. Please see the references for more information.

Qdig Qdig devel-20060624

Qdig qdig-devel.tar.gz
http://qdig.sourceforge.net/files/qdig-devel.tar.gz

Qdig Qdig 1.2.9 .3

Qdig qdig.tar.gz
http://qdig.sourceforge.net/files/qdig.tar.gz

References

Qdig QWD Variable Cross-Site Scripting Vulnerability

References:

Qdig Homepage (Qdig)
[XSS] Qdig - Quick Digital Image Gallery Version 1.2.9.3 and -devel (Andrea Purificato - bunker )
Re: [XSS] Qdig - Quick Digital Image Gallery Version 1.2.9.3 and -devel (Andrea Purificato)