lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 8 Oct 2012 17:41:43 +0300
From: Henri Salo <henri@...v.fi>
To: Scott Herbert <scott.a.herbert@...glemail.com>, security@...photo.org
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Cookie stealing and XSS vulnerable in
 Zenphoto version 1.4.3.2

On Tue, Oct 02, 2012 at 07:16:11AM +0100, Scott Herbert wrote:
> -------------------------
> Affected products:
> -------------------------
> 
> Product : 		Zenphoto 1.4.3.2 (and maybe older) fixed in 1.4.3.3
> Affected function:	printPublishIconLink
> 
> ----------
> Details:
> ----------
> 
> The file admin-news-articles.php calls the function printPublishIconLink
> which generates HTML from data stored in the $_GET super global, this can be
> used to generate a XSS attack or more seriously, as a admin user need to be
> logged in to access the page admin-news-articles.php, a cookie stealing
> script.
> 
> Example code:
> http://127.0.0.1/zenphoto/zp-core/zp-extensions/zenpage/admin-news-articles.
> php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascript%27%29;%3
> C/script%3E%3C>
> 
> --------------------
> Suggested fix:
> --------------------
> 
> Sanitize the $_GET super global on lines 1637 through 1641 in
> zenpage-admin-functions.php file
> 
> ------------
> Timeline:
> ------------
> 
> 12-Sept-2012  Zenphoto and UK-CERT informed
> 18-Sept-2012 Zenphoto confirmed and fixed (see
> http://www.zenphoto.org/trac/changeset/10836).
> 1-Oct-2012 Zenphoto 1.4.3.3 released fixing hole.
> 
> --
> Scott Herbert Cert Web Apps (Open)
> http://blog.scott-herbert.com/
> Twitter @Scott_Herbert

Hello list,

Zenphoto 1.4.3.3 (tar.gz 3fe44951e33e726d2bba229880885075) is still affected by this vulnerability. Please notice "OSVDB is not aware of a solution for this vulnerability. The original disclosure states that the vendor claimed to have fixed this issue in version 1.4.3.3, but Secunia has confirmed it to still be vulnerable." from http://osvdb.org/85899 and I verified this manually. Does this vulnerability have CVE-identifier?

- Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ