CVE request: Zenphoto admin-news-articles.php date parameter XSS

[Henri Salo <henri () nerv fi>]

Hello,

Can we assign 2012 CVE-identifier for issue in Zenphoto zp-core/zp-extensions/zenpage/admin-news-articles.php date 
parameter XSS, thanks.

http://osvdb.org/85899
http://seclists.org/fulldisclosure/2012/Oct/17
http://secunia.com/advisories/50799/
http://scott-herbert.com/blog/2012/10/02/cookie-stealing-and-xss-vulnerable-in-zenphotoversion-1-4-3-2-1130

Not fixed in 1.4.3.3. Will be fixed in next bugfix release beginning of November.

Fix in http://www.zenphoto.org/svn/trunk/:
foo@bar:~/zenphoto/trunk$ svn diff -r10048:10942 zp-core/zp-extensions/zenpage/admin-news-articles.php
Index: zp-core/zp-extensions/zenpage/admin-news-articles.php
===================================================================
--- zp-core/zp-extensions/zenpage/admin-news-articles.php   (revision 10048)
+++ zp-core/zp-extensions/zenpage/admin-news-articles.php   (revision 10942)
@@ -109,13 +109,13 @@
            <h1><?php echo gettext('Articles'); ?>
            <?php
            if (isset($_GET['category'])) {
-               echo "<em>".sanitize($_GET['category']).'</em>';
+               echo "<em>".html_encode(sanitize($_GET['category'])).'</em>';
            }
            if (isset($_GET['date'])) {
-               echo '<em><small> ('.$_GET['date'].')</small></em>';
+               $_zp_post_date = sanitize($_GET['date']);
+               echo '<em><small> ('.html_encode($_zp_post_date).')</small></em>';
                // require so the date dropdown is working
                set_context(ZP_ZENPAGE_NEWS_DATE);
-               $_zp_post_date = sanitize($_GET['date']);
            }
            if(isset($_GET['published'])) {
                switch ($_GET['published']) {


- Henri Salo