Full Disclosure mailing list archives
Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2
From: Henri Salo <henri () nerv fi>
Date: Mon, 8 Oct 2012 17:41:43 +0300
On Tue, Oct 02, 2012 at 07:16:11AM +0100, Scott Herbert wrote:
------------------------- Affected products: ------------------------- Product : Zenphoto 1.4.3.2 (and maybe older) fixed in 1.4.3.3 Affected function: printPublishIconLink ---------- Details: ---------- The file admin-news-articles.php calls the function printPublishIconLink which generates HTML from data stored in the $_GET super global, this can be used to generate a XSS attack or more seriously, as a admin user need to be logged in to access the page admin-news-articles.php, a cookie stealing script. Example code: http://127.0.0.1/zenphoto/zp-core/zp-extensions/zenpage/admin-news-articles. php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascript%27%29;%3 C/script%3E%3C> -------------------- Suggested fix: -------------------- Sanitize the $_GET super global on lines 1637 through 1641 in zenpage-admin-functions.php file ------------ Timeline: ------------ 12-Sept-2012 Zenphoto and UK-CERT informed 18-Sept-2012 Zenphoto confirmed and fixed (see http://www.zenphoto.org/trac/changeset/10836). 1-Oct-2012 Zenphoto 1.4.3.3 released fixing hole. -- Scott Herbert Cert Web Apps (Open) http://blog.scott-herbert.com/ Twitter @Scott_Herbert
Hello list, Zenphoto 1.4.3.3 (tar.gz 3fe44951e33e726d2bba229880885075) is still affected by this vulnerability. Please notice "OSVDB is not aware of a solution for this vulnerability. The original disclosure states that the vendor claimed to have fixed this issue in version 1.4.3.3, but Secunia has confirmed it to still be vulnerable." from http://osvdb.org/85899 and I verified this manually. Does this vulnerability have CVE-identifier? - Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Scott Herbert (Oct 02)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Benji (Oct 02)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Scott Herbert (Oct 02)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Henri Salo (Oct 08)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Scott Herbert (Oct 08)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Malte Müller (Oct 10)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Scott Herbert (Oct 08)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Henri Salo (Oct 11)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Benji (Oct 02)