oss-sec mailing list archives
CVE request: Zenphoto 1.4.5.4
From: Henri Salo <henri () nerv fi>
Date: Mon, 30 Dec 2013 01:38:01 +0200
Can I get CVEs for following issues in Zenphoto, thanks. Advisory: http://www.enkomio.com/Advisory/SOJOBO-ADV-13-01 http://seclists.org/bugtraq/2013/Oct/20 Advisory ID: SOJOBO-ADV-13-01 Vendor news: http://www.zenphoto.org/news/zenphoto-1.4.5.4 http://osvdb.org/98091 http://osvdb.org/98092 """ A) Cross Site Scripting in mergedRSS.php [Impact: 3/5] Follow a trace to reach the vulnerable code. File: zp-core\zp-extensions\mergedRSS.php 43: $MergedRSS = new MergedRSS($feeds, strip_tags(get_language_string($gallery->getTitle(), $locale)), FULLWEBPATH, strip_tags(get_language_string($gallery->getDesc(), $locale)), $feed_date); .. 46: $MergedRSS->export(false, true, 20); .. 98: public function export($return_as_string = true, $output = false, $limit = null) { .. 140: $xml .= "\t<atom:link href=\"http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']."\"; rel=\"self\" type=\"application/rss+xml\" />\n"; .. 165: if ($output) { echo $xml; } The variable '$_SERVER['PHP_SELF']' is considered a tainted input and can be manipulated in order to insert valid HTML code. B) Sql Injection in wordpress_import.php [Impact: 1/5] This vulnerability has various precondition that need to be satisfy in order to be exploited. Admin rights are necessary, also the user must specify a valid hostname, username and password database connection (can be obtained via password guessing). Due to this precondition the impact was lowerd to Very Low. Follow a trace to reach the vulnerable code. File: zp-core\zp-extensions\wordpress_import.php 76: if(isset($_REQUEST['dbname']) || isset($_REQUEST['dbuser']) || isset($_REQUEST['dbpass']) || isset($_REQUEST['dbhost'])) { .. 82: $wp_prefix = sanitize($_REQUEST['tableprefix']); .. 120: if(!isset($_GET['refresh'])) { 121: $cats = wp_query_full_array("SELECT * FROM ".wp_prefix('terms',$wp_prefix)." as terms, ".wp_prefix('term_taxonomy',$wp_prefix)." as tax WHERE tax.taxonomy = 'category' AND terms.term_id = tax.term_id",$wpdbconnection); .. 55: function wp_query_full_array($sql,$wpconnection) { 56: $result = mysql_query($sql,$wpconnection) or die(gettext("Query failed : ") . mysql_error()); where 'wp_prefix' is: 67: function wp_prefix($tablename,$wp_prefix) { 68: return '`'.$wp_prefix.$tablename.'`'; 69: } the function 'sanitize' is: File: zp-core\functions-common.php 145: function sanitize($input_string, $sanitize_level=3) { .. 152: $output_string = sanitize_string($input_string, $sanitize_level); .. 177: function sanitize_string($input, $sanitize_level) { .. 192: case 3: .. 194: return strip_tags($input); 'strip_tags' doesn't validate against SQL Injection vulnerabilities. In order to exploit this vulnerability the user must be logged as admin, this precondition severely limits the impact. """ --- Henri Salo
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE request: Zenphoto 1.4.5.4 Henri Salo (Dec 29)
- Re: CVE request: Zenphoto 1.4.5.4 cve-assign (Dec 30)