Full Disclosure mailing list archives

Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2

From: Scott Herbert <scott.a.herbert () googlemail com>
Date: Mon, 8 Oct 2012 20:52:41 +0100

Well chalk this one up to another learning experience for a novice bug
hunter, I took the vendors word that it was fixed and didn't check myself.

I've BCC'ed in my contact with zenphoto, so they are aware.

And to my knowledge this issue doesn't currently have a CVE.

Bugger!

-----Original Message-----
From: Henri Salo [mailto:henri () nerv fi]
Sent: 08 October 2012 15:42
To: Scott Herbert; security () zenphoto org
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Cookie stealing and XSS vulnerable in

Zenphoto

version 1.4.3.2

On Tue, Oct 02, 2012 at 07:16:11AM +0100, Scott Herbert wrote:

-------------------------
Affected products:
-------------------------

Product :           Zenphoto 1.4.3.2 (and maybe older) fixed in 1.4.3.3
Affected function:  printPublishIconLink

----------
Details:
----------

The file admin-news-articles.php calls the function printPublishIconLink
which generates HTML from data stored in the $_GET super global, this

can

be

used to generate a XSS attack or more seriously, as a admin user need to

be

logged in to access the page admin-news-articles.php, a cookie stealing
script.

Example code:
http://127.0.0.1/zenphoto/zp-core/zp-extensions/zenpage/admin-news-

articles.

php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascrip
t%27%29;%3

C/script%3E%3C>

--------------------
Suggested fix:
--------------------

Sanitize the $_GET super global on lines 1637 through 1641 in
zenpage-admin-functions.php file

------------
Timeline:
------------

12-Sept-2012  Zenphoto and UK-CERT informed
18-Sept-2012 Zenphoto confirmed and fixed (see
http://www.zenphoto.org/trac/changeset/10836).
1-Oct-2012 Zenphoto 1.4.3.3 released fixing hole.

--
Scott Herbert Cert Web Apps (Open)
http://blog.scott-herbert.com/
Twitter @Scott_Herbert


Hello list,

Zenphoto 1.4.3.3 (tar.gz 3fe44951e33e726d2bba229880885075) is still
affected by this vulnerability. Please notice "OSVDB is not aware of a

solution

for this vulnerability. The original disclosure states that the vendor

claimed to

have fixed this issue in version 1.4.3.3, but Secunia has confirmed it to

still be

vulnerable." from http://osvdb.org/85899 and I verified this manually.

Does

this vulnerability have CVE-identifier?

- Henri Salo



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Scott Herbert (Oct 02)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Benji (Oct 02)
  - Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Scott Herbert (Oct 02)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Henri Salo (Oct 08)
  - Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Scott Herbert (Oct 08)
    - Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Malte Müller (Oct 10)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Henri Salo (Oct 11)