Results 1 to 2 of 2

Thread: Vulnerability in 'ultimate slideshow'?

  1. #1
    Join Date
    Feb 2011
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Vulnerability in 'ultimate slideshow'?

    Hi. My search for a decent javascript slideshow brought me here (to http://www.dynamicdrive.com/dynamici...nslideshow.htm). In the course of due diligence, I thought I'd see if I could dig up any security risks that might be associated with that script, and I came across this page:

    http://securityreason.com/exploitalert/6935

    I'm not sure what to make of it, because while the exploit's description doesn't seem to make much sense (user_register and uadd? what do they have to do with a slideshow anyway? if there's no user-supplied content then what could go wrong?), the site appears legitimate and they do name both this site and the slideshow specifically.

    Does anyone have any comment on this? If the vulnerability has been fixed (it's for an older version than current) I'd like to know ... plus I wouldn't mind a better understanding of what the supposed exploit is.

    Thanks for any feedback.

  2. #2
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    the DD ultimate fade-in slideshow doesn't do any of the things listed on that page (no user registration, no "add new events", no uploads; as you noted, no user-submitted content -no server interaction- at all). I'd say it's a different script, entirely, that happens to have the same name. The reference to this site might be a mistake, I don't know. The "report" is kinda vague.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •