| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 18 Apr 2005 12:24:34 -0000
From: GHC team <team@....ru>
To: bugtraq@...urityfocus.com
Subject: Vulnerability in Coppermine Photo Gallery 1.3.*
+-----------------------------------------+
| RST/GHC >> Coppermine << ADVISORY |
| Product: Coppermine Photo Gallery |
| Version: 1.3.x |
| URL: http://coppermine.sourceforge.net/ |
+-----------------------------------------+
[Product Description]
"Coppermine Photo Gallery is a picture gallery script. Users can upload pictures
with a web browser (thumbnails are created on the fly), rate pictures, add
comments and send e-cards. The admins can manage the galleries and batch add
pictures that have been uploaded on the server by FTP. Support for multimedia
files has been added recently" (from official site description).
[Summary]
The lack of sanitizing of user defined variables may result in undesirable
consequences such as IP spoofing or XSS attack.
[Details]
Generally users of Coppermine Gallery can post comments. Remote address &
x-forwarded-for variables are logged for admin's eyes.
X-Forwarded-for variable does not pass throu any filtration before logging into
database. User can define/redefine this variable.
Vulnerable script: include/init.inc.php
---[code]---
if (isset($HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR'])) {
$hdr_ip = stripslashes($HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR']);
} else {
$hdr_ip = $raw_ip;
}
---[/code]---
User with access to comments module can spoof x-forwarded-for variable and
realize XSS attack (as example to get admin's cookie).
Powered by blists - more mailing lists