On Tue, Oct 02, 2012 at 07:16:11AM +0100, Scott Herbert wrote: > ------------------------- > Affected products: > ------------------------- > > Product : Zenphoto 1.4.3.2 (and maybe older) fixed in 1.4.3.3 > Affected function: printPublishIconLink > > ---------- > Details: > ---------- > > The file admin-news-articles.php calls the function printPublishIconLink > which generates HTML from data stored in the $_GET super global, this can be > used to generate a XSS attack or more seriously, as a admin user need to be > logged in to access the page admin-news-articles.php, a cookie stealing > script. > > Example code: > http://127.0.0.1/zenphoto/zp-core/zp-extensions/zenpage/admin-news-articles. > php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascript%27%29;%3 > C/script%3E%3C> > > -------------------- > Suggested fix: > -------------------- > > Sanitize the $_GET super global on lines 1637 through 1641 in > zenpage-admin-functions.php file > > ------------ > Timeline: > ------------ > > 12-Sept-2012 Zenphoto and UK-CERT informed > 18-Sept-2012 Zenphoto confirmed and fixed (see > http://www.zenphoto.org/trac/changeset/10836). > 1-Oct-2012 Zenphoto 1.4.3.3 released fixing hole. > > -- > Scott Herbert Cert Web Apps (Open) > http://blog.scott-herbert.com/ > Twitter @Scott_Herbert
Identifier CVE-2012-4519 has been assigned for this issue http://www.openwall.com/lists/oss-security/2012/10/11/4 - Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/