Re: CVE-request: Coppermine 1.5.18 waraxe-2012-SA#081

[Kurt Seifried <kseifried () redhat com>]

On 03/30/2012 01:58 AM, Henri Salo wrote:
> Can I get 2012 CVE-identifier for stored XSS in Coppermine 1.5.18 edit_ont_pic.php keywords.
>
> ID: waraxe-2012-SA#081
> Original advisory: http://www.waraxe.us/advisory-81.html
> Mailing list post: http://seclists.org/bugtraq/2012/Mar/166
>
> """
> Reason: failure to sufficiently sanitize user-supplied input data
> Preconditions: privileges needed for picture keywords editing
>
> Coppermine user with appropriate privileges is able to modify picture information:
>
> http://localhost/cpg1518/edit_one_pic.php?id=1&what=picture
>
> There is a field in form named as "Keywords (separate with semicolon)".
> After insertion to database those keywords are later used in html meta section.
> It appears, that specific user supplied data is not properly validated before
> outputting as html to the end user, resulting in Stored XSS vulnerability.
>
> Testing:
>
> 1. Open picture information editing page:
>
> http://localhost/cpg1518/edit_one_pic.php?id=1&what=picture
>
> 2. Insert XSS payload below as keywords and click "Apply changes":
>
> "><body onload=javascript:alert(String.fromCharCode(88,83,83))>
>
> After that issue request to view this image:
>
> http://localhost/cpg1518/displayimage.php?pid=1
>
> As result we can observe XSS payload execution.
> """
>
> There is also four different path disclosure vulnerabilities (includes plugins), but I think one CVE-identifier for 
> this advisory is enough as these are all in the same version and path disclosure is very low severity.
>
> - Henri Salo

What about the path disclosures?

-- 
Kurt Seifried Red Hat Security Response Team (SRT)