| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Oct 2012 18:44:21 +0200 From: Malte Müller <info@...tem.de> To: Scott Herbert <scott.a.herbert@...glemail.com> Cc: full-disclosure@...ts.grok.org.uk, Stephen Billard <stephen@...llard.org> Subject: Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Hi Scott, thanks, we always appreciate notes about unfixed issues. We did fix the actual issue reported in the function printPublishIconLink() last time: > Sanitize the $_GET super global on lines 1637 through 1641 in > zenpage-admin-functions.php file We also fixed a few other similar finds in 1.4.3.3. This one is the same issue type indeed but a different find actually we probably somehow missed searching. Please try the current trunk nightly build and let us know if you find any more issues. The actual official fix will probably have to wait until the next bugfix release beginning November. Note that our chief developer Stephen - I copied him on this mail - is currently unavailable until some time next week. Best regards, Malte Müller (acrylian) -------------------- Zenphoto team www.zenphoto.org Am 08.10.2012 um 21:52 schrieb Scott Herbert: > Well chalk this one up to another learning experience for a novice bug > hunter, I took the vendors word that it was fixed and didn't check myself. > > I've BCC'ed in my contact with zenphoto, so they are aware. > > And to my knowledge this issue doesn't currently have a CVE. > > Bugger! > >> -----Original Message----- >> From: Henri Salo [mailto:henri@...v.fi] >> Sent: 08 October 2012 15:42 >> To: Scott Herbert; security@...photo.org >> Cc: full-disclosure@...ts.grok.org.uk >> Subject: Re: [Full-disclosure] Cookie stealing and XSS vulnerable in > Zenphoto >> version 1.4.3.2 >> >> On Tue, Oct 02, 2012 at 07:16:11AM +0100, Scott Herbert wrote: >>> ------------------------- >>> Affected products: >>> ------------------------- >>> >>> Product : Zenphoto 1.4.3.2 (and maybe older) fixed in 1.4.3.3 >>> Affected function: printPublishIconLink >>> >>> ---------- >>> Details: >>> ---------- >>> >>> The file admin-news-articles.php calls the function printPublishIconLink >>> which generates HTML from data stored in the $_GET super global, this > can >> be >>> used to generate a XSS attack or more seriously, as a admin user need to >> be >>> logged in to access the page admin-news-articles.php, a cookie stealing >>> script. >>> >>> Example code: >>> http://127.0.0.1/zenphoto/zp-core/zp-extensions/zenpage/admin-news- >> articles. >>> >> php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascrip >> t%27%29;%3 >>> C/script%3E%3C> >>> >>> -------------------- >>> Suggested fix: >>> -------------------- >>> >>> Sanitize the $_GET super global on lines 1637 through 1641 in >>> zenpage-admin-functions.php file >>> >>> ------------ >>> Timeline: >>> ------------ >>> >>> 12-Sept-2012 Zenphoto and UK-CERT informed >>> 18-Sept-2012 Zenphoto confirmed and fixed (see >>> http://www.zenphoto.org/trac/changeset/10836). >>> 1-Oct-2012 Zenphoto 1.4.3.3 released fixing hole. >>> >>> -- >>> Scott Herbert Cert Web Apps (Open) >>> http://blog.scott-herbert.com/ >>> Twitter @Scott_Herbert >> >> Hello list, >> >> Zenphoto 1.4.3.3 (tar.gz 3fe44951e33e726d2bba229880885075) is still >> affected by this vulnerability. Please notice "OSVDB is not aware of a > solution >> for this vulnerability. The original disclosure states that the vendor > claimed to >> have fixed this issue in version 1.4.3.3, but Secunia has confirmed it to > still be >> vulnerable." from http://osvdb.org/85899 and I verified this manually. > Does >> this vulnerability have CVE-identifier? >> >> - Henri Salo > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists