[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <007201cda065$6c1ea0a0$445be1e0$@gmail.com>
Date: Tue, 2 Oct 2012 07:16:11 +0100
From: Scott Herbert <scott.a.herbert@...glemail.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Cookie stealing and XSS vulnerable in Zenphoto
version 1.4.3.2
-------------------------
Affected products:
-------------------------
Product : Zenphoto 1.4.3.2 (and maybe older) fixed in 1.4.3.3
Affected function: printPublishIconLink
----------
Details:
----------
The file admin-news-articles.php calls the function printPublishIconLink
which generates HTML from data stored in the $_GET super global, this can be
used to generate a XSS attack or more seriously, as a admin user need to be
logged in to access the page admin-news-articles.php, a cookie stealing
script.
Example code:
http://127.0.0.1/zenphoto/zp-core/zp-extensions/zenpage/admin-news-articles.
php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascript%27%29;%3
C/script%3E%3C>
--------------------
Suggested fix:
--------------------
Sanitize the $_GET super global on lines 1637 through 1641 in
zenpage-admin-functions.php file
------------
Timeline:
------------
12-Sept-2012 Zenphoto and UK-CERT informed
18-Sept-2012 Zenphoto confirmed and fixed (see
http://www.zenphoto.org/trac/changeset/10836).
1-Oct-2012 Zenphoto 1.4.3.3 released fixing hole.
--
Scott Herbert Cert Web Apps (Open)
http://blog.scott-herbert.com/
Twitter @Scott_Herbert
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists