#2 Cross-site scripting

[Roman Mueller]

When manipulating the image filename it is possible to inject any HTML and it will be rendered on the error page.

Example:
http://isaac3.sourceforge.net/demo/i3.php/Close.jpg%22%3E%3Cscript%3Ealert\(%22xss%22);%3C/script%3E%3Cb%3EThis%20is%20some%20injected%20text%3C/b%3E%3Cbr%3E%3Ci%3EEven%20more%20injected%20text%3C/i%3E/foo

The error reporting function will only echo $viewdir_fs.
By adding the additional /foo to the URL we fool it into echoing our complete malicious HTML.

I was also able to inject some HTML into the normal (non-error) page.
However I wasn't able to get any JS to run (adding any "/" will bounce you to the error page) or keep the image displayed correctly.
Still, here is an example of it:
http://isaac3.sourceforge.net/demo/i3.php/Close.jpg%22%3E%3Cb%3EInjected%20Text%3Cbr%3E%3Ci%3EMore%20injected%20text

Cheers,
Roman