[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Cookie stealing and XSS vulnerable in Zenphoto version 1.4.3.2
- From: Scott Herbert <scott.a.herbert@xxxxxxxxxxxxxx>
- Date: Tue, 2 Oct 2012 07:16:11 +0100
-------------------------
Affected products:
-------------------------
Product : Zenphoto 1.4.3.2 (and maybe older) fixed in 1.4.3.3
Affected function: printPublishIconLink
----------
Details:
----------
The file admin-news-articles.php calls the function printPublishIconLink
which generates HTML from data stored in the $_GET super global, this can be
used to generate a XSS attack or more seriously, as a admin user need to be
logged in to access the page admin-news-articles.php, a cookie stealing
script.
Example code:
http://127.0.0.1/zenphoto/zp-core/zp-extensions/zenpage/admin-news-articles.
php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascript%27%29;%3
C/script%3E%3C>
--------------------
Suggested fix:
--------------------
Sanitize the $_GET super global on lines 1637 through 1641 in
zenpage-admin-functions.php file
------------
Timeline:
------------
12-Sept-2012 Zenphoto and UK-CERT informed
18-Sept-2012 Zenphoto confirmed and fixed (see
http://www.zenphoto.org/trac/changeset/10836).
1-Oct-2012 Zenphoto 1.4.3.3 released fixing hole.
--
Scott Herbert Cert Web Apps (Open)
http://blog.scott-herbert.com/
Twitter @Scott_Herbert
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/