| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 Jul 2010 15:49:38 +0200 From: "VUPEN Web Security" <advisories@...en.com> To: <bugtraq@...urityfocus.com> Subject: Zoph Multiple Parameter Cross Site Scripting Vulnerabilities Zoph Multiple Parameter Cross Site Scripting Vulnerabilities I. BACKGROUND --------------------- "Zoph (Zoph Organizes Photos) is a web based digital image presentation and management system. In other words, a photo album. It is built with PHP, MySQL and Perl." II. VULNERABILITIES --------------------- VUPEN Web Vulnerability Research Team discovered multiple vulnerabilities in Zoph. These issues are caused by input validation errors in various scripts when processing the "user_name", "title", "called", "email", "dob", "middle_name", "last_name", "first_name", "subject", "message", "photographer_id", "person_id", "_random", "_rating-op", "rating", "timestamp" and "_timestamp-op" parameters, which could be exploited to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site. III. AFFECTED PRODUCTS --------------------------- Zoph versions prior to 0.8.0.3 Zoph versions prior to 0.8.1.1 IV. SOLUTION ---------------- Upgrade to Zoph version 0.8.0.3 or 0.8.1.1 : http://www.zoph.org/concrete/index.php/download/ V. CREDIT -------------- These vulnerabilities were discovered by Mohammed Boumediane (VUPEN Security) with help of the VUPEN Web Application Security Scanning (WASS) technology: http://www.vupen.com/english/services/wass-index.php VI. VUPEN Web Application Security Scanner (WASS) ---------------------------------------------------- VUPEN Web Application Security Scanner (WASS) is a SaaS security scanning technology which enables corporations and organizations to identify, track and remediate security vulnerabilities affecting their web sites and web applications, prevent criminals from gaining unauthorized access to sensitive data, and comply with security requirements such as PCI. Read More: http://www.vupen.com/english/services/wass-index.php VII. REFERENCES ---------------------- http://www.vupen.com/english/advisories/2010/1680 http://www.zoph.org/concrete/index.php/news/security-releases-for-zoph/ VIII. DISCLOSURE TIMELINE ----------------------------- 2010-05-05 - Vendor notified 2010-05-30 - Vendor response 2010-07-02 - Coordinated public Disclosure
Powered by blists - more mailing lists