Test ID:	1.3.6.1.4.1.25623.1.0.900974
Category:	Web application abuses
Title:	TFT Gallery XSS And Directory Traversal Vulnerabilities
Summary:	TFT Gallery is prone to Cross- Site Scripting and Directory Traversal vulnerabilities.
Description:	Summary: TFT Gallery is prone to Cross- Site Scripting and Directory Traversal vulnerabilities. Vulnerability Insight: - Error exists when input passed via the 'sample' parameter to settings.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code or conduct XSS attacks. - Input passed via the 'album' parameter to index.php is not properly verified before being used to include files via a '../'. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes. Vulnerability Impact: Successful exploitation will allow remote attackers to disclose sensitive information and conduct cross-site scripting attacks. Affected Software/OS: TFT Gallery version 0.13 and prior on all platforms. Solution: Upgrade to version 0.13.1 or later. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2009-3911 BugTraq ID: 36898 http://www.securityfocus.com/bid/36898 http://packetstormsecurity.org/0911-exploits/tftgallery-traversal.txt http://secunia.com/advisories/37156 XForce ISS Database: tftgallery-sample-xss(54087) https://exchange.xforce.ibmcloud.com/vulnerabilities/54087 Common Vulnerability Exposure (CVE) ID: CVE-2009-3912 BugTraq ID: 36899 http://www.securityfocus.com/bid/36899
Copyright	Copyright (C) 2009 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.