Full Disclosure mailing list archives
Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2
From: Henri Salo <henri () nerv fi>
Date: Thu, 11 Oct 2012 20:27:49 +0300
On Tue, Oct 02, 2012 at 07:16:11AM +0100, Scott Herbert wrote:
------------------------- Affected products: ------------------------- Product : Zenphoto 1.4.3.2 (and maybe older) fixed in 1.4.3.3 Affected function: printPublishIconLink ---------- Details: ---------- The file admin-news-articles.php calls the function printPublishIconLink which generates HTML from data stored in the $_GET super global, this can be used to generate a XSS attack or more seriously, as a admin user need to be logged in to access the page admin-news-articles.php, a cookie stealing script. Example code: http://127.0.0.1/zenphoto/zp-core/zp-extensions/zenpage/admin-news-articles. php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascript%27%29;%3 C/script%3E%3C> -------------------- Suggested fix: -------------------- Sanitize the $_GET super global on lines 1637 through 1641 in zenpage-admin-functions.php file ------------ Timeline: ------------ 12-Sept-2012 Zenphoto and UK-CERT informed 18-Sept-2012 Zenphoto confirmed and fixed (see http://www.zenphoto.org/trac/changeset/10836). 1-Oct-2012 Zenphoto 1.4.3.3 released fixing hole. -- Scott Herbert Cert Web Apps (Open) http://blog.scott-herbert.com/ Twitter @Scott_Herbert
Identifier CVE-2012-4519 has been assigned for this issue http://www.openwall.com/lists/oss-security/2012/10/11/4 - Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Scott Herbert (Oct 02)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Benji (Oct 02)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Scott Herbert (Oct 02)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Henri Salo (Oct 08)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Scott Herbert (Oct 08)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Malte Müller (Oct 10)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Scott Herbert (Oct 08)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Henri Salo (Oct 11)
- Re: Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2 Benji (Oct 02)