| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 2 Oct 2012 07:16:11 +0100 From: Scott Herbert <scott.a.herbert@...glemail.com> To: <full-disclosure@...ts.grok.org.uk> Subject: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 ------------------------- Affected products: ------------------------- Product : Zenphoto 1.4.3.2 (and maybe older) fixed in 1.4.3.3 Affected function: printPublishIconLink ---------- Details: ---------- The file admin-news-articles.php calls the function printPublishIconLink which generates HTML from data stored in the $_GET super global, this can be used to generate a XSS attack or more seriously, as a admin user need to be logged in to access the page admin-news-articles.php, a cookie stealing script. Example code: http://127.0.0.1/zenphoto/zp-core/zp-extensions/zenpage/admin-news-articles. php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascript%27%29;%3 C/script%3E%3C> -------------------- Suggested fix: -------------------- Sanitize the $_GET super global on lines 1637 through 1641 in zenpage-admin-functions.php file ------------ Timeline: ------------ 12-Sept-2012 Zenphoto and UK-CERT informed 18-Sept-2012 Zenphoto confirmed and fixed (see http://www.zenphoto.org/trac/changeset/10836). 1-Oct-2012 Zenphoto 1.4.3.3 released fixing hole. -- Scott Herbert Cert Web Apps (Open) http://blog.scott-herbert.com/ Twitter @Scott_Herbert _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists