iManager plugin versions 1.2.8 build 02012008 and below suffer from a cross site scripting vulnerability when parsing user input to the 'dir' parameter via GET method in 'random.php' and 'phpThumb.demo.random.php'. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.
4c4c2b763221737d36a6acfffd6dbb477bc08d64d63061a263200f70c4504d7a
iManager Plugin v1.2.8 (dir) Remote Cross-Site Scripting Vulnerability
Vendor: net4visions.com
Product web page: http://www.net4visions.com
Affected version: <= 1.2.8 Build 02012008
Summary: With iManager you can manage your files/images on your webserver,
and it provides user interface to most of the phpThumb() functions. It works
either stand-alone or as a plugin to WYSIWYG editors like tinyMCE, SPAW,
htmlAREA, Xinha and FCKeditor.
Desc: iManager suffers from a XSS vulnerability when parsing user
input to the 'dir' parameter via GET method in 'random.php' and
'phpThumb.demo.random.php'. Attackers can exploit this weakness to
execute arbitrary HTML and script code in a user's browser session.
Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Advisory ID: ZSL-2011-5045
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5045.php
15.09.2011
--
http://SOME_CMS/jscripts/tiny_mce/plugins/imanager/scripts/random.php?dir=<script>alert('zsl')</script>
http://SOME_CMS/jscripts/tiny_mce/plugins/imanager/scripts/phpThumb/demo/phpThumb.demo.random.php?dir=<script>alert('zsl')</script>