oss-sec mailing list archives
Re: CVE request: piwigo XSS in password.php
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 10 Feb 2013 21:49:26 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/09/2013 06:14 PM, Kurt Seifried wrote:
So Henri Salo pointed out that I never assigned a CVE for this: http://www.openwall.com/lists/oss-security/2012/10/06/2 Which raises a good note: do not be afraid to bug me if some time goes by without an answer or at least a reply/question.Hi,A XSS vulnerability has been reported in piwigo's password.php before 2.4.4: http://piwigo.org/bugs/view.php?id=0002750 http://secunia.com/advisories/50510/However, as stated in the Secunia advisory, the fix does not entirely address the issue. For context, the stripslashes/strip_tags'ed POST variable is included in the template as following: <input type="text" id="username_or_email" name="username_or_email" ... value="{$username_or_email}">(some parts redacted for clarity)So, two ids are needed. Thanks in advance.Piwigo 2.3.1 also seems to be affected but 2.1.2 doesn't.-- Raphael Geissert - Debian Developer www.debian.org - get.debian.netPlease use CVE-2012-6126 for this issue.
Someone (who wishes to remain anonymous, but they rock!) pointed out that this was already assigned: http://seclists.org/oss-sec/2012/q4/98 Please REJECT CVE-2012-6126 and use CVE-2012-4525/CVE-2012-4526 as mentioned above instead. Thanks to my anonymous benefactor. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRGHhVAAoJEBYNRVNeJnmT4wgQAJtQ+ew7WmUw0PWp0UkQ9Tpg +tf85hIklvunyv88g7i9vh0NtPaP08J4CT8BWDhUMDOkMP72/+30i5gViayO/o3k FpgXZRnJupMUBe4/nz290xM/mjPomU8VTT7YJHT3Q9+y3rZ/D6SJj2JUs9jkfbD9 ySU8v8l4bEH4NZegU1Xy4L55SaZ7vr9IBJ+V+1PNP/XdgGucIO0Lq6K00vad7QtV Nh8yUtyXcLv9M3v3UQeRnm912JDjxr50Mw/yNASAcqFYd9UzVUyvhAfcKA1VdFBy FPBO0ZotylLNyypShptmw3UgMQtrtDIDhdU4yv2nkjz08bipZEQJ5afl7PIUS2Mf U05HiNIcF5tXESCdEl2N/MW1QTaUs8UZ24snWMbHIfCfdDaAsbnU/xFg8pZrvxRw /Wg43w1TC9XzO0vSGYKEilh0BTbEpNhjatcqwQ1NYHdVs0CJjt9MX4tVh4P/PFKo VJIJB3dD0yItNJdzumYQRL2JGmHurRV8TlZ5GXf6nsSZkSd7l3EOdUz+CNSMr4t6 nqxAysO1aP0LsxFyWg26aRvSfir6Q+TUTub0g1u/VySYwgZ4EoE+0IcCZ4SAUX7R 8Af5sqTm38RY0F/4AldsQnbfVDx3HSmSa8MORisWBi5ZeH4yllczr6S5ZQ6/12Wa iX1Dq3juckHbhicDWiI2 =3Bp6 -----END PGP SIGNATURE-----
Current thread:
- CVE request: piwigo XSS in password.php Kurt Seifried (Feb 09)
- Re: CVE request: piwigo XSS in password.php Kurt Seifried (Feb 10)
- Re: CVE request: piwigo XSS in password.php Henri Salo (Feb 10)
- Re: CVE request: piwigo XSS in password.php Kurt Seifried (Feb 12)