PDA

View Full Version : Vulnerability in 'ultimate slideshow'?



Canuckster
02-18-2011, 01:18 AM
Hi. My search for a decent javascript slideshow brought me here (to http://www.dynamicdrive.com/dynamicindex14/fadeinslideshow.htm). In the course of due diligence, I thought I'd see if I could dig up any security risks that might be associated with that script, and I came across this page:

http://securityreason.com/exploitalert/6935

I'm not sure what to make of it, because while the exploit's description doesn't seem to make much sense (user_register and uadd? what do they have to do with a slideshow anyway? if there's no user-supplied content then what could go wrong?), the site appears legitimate and they do name both this site and the slideshow specifically.

Does anyone have any comment on this? If the vulnerability has been fixed (it's for an older version than current) I'd like to know ... plus I wouldn't mind a better understanding of what the supposed exploit is.

Thanks for any feedback.

traq
02-18-2011, 03:15 AM
the DD ultimate fade-in slideshow doesn't do any of the things listed on that page (no user registration, no "add new events", no uploads; as you noted, no user-submitted content -no server interaction- at all). I'd say it's a different script, entirely, that happens to have the same name. The reference to this site might be a mistake, I don't know. The "report" is kinda vague.