Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE-request: Coppermine 1.5.18 waraxe-2012-SA#081
From: Henri Salo <henri () nerv fi>
Date: Fri, 30 Mar 2012 10:58:04 +0300

Can I get 2012 CVE-identifier for stored XSS in Coppermine 1.5.18 edit_ont_pic.php keywords.

ID: waraxe-2012-SA#081
Original advisory: http://www.waraxe.us/advisory-81.html
Mailing list post: http://seclists.org/bugtraq/2012/Mar/166

"""
Reason: failure to sufficiently sanitize user-supplied input data
Preconditions: privileges needed for picture keywords editing

Coppermine user with appropriate privileges is able to modify picture information:

http://localhost/cpg1518/edit_one_pic.php?id=1&what=picture

There is a field in form named as "Keywords (separate with semicolon)".
After insertion to database those keywords are later used in html meta section.
It appears, that specific user supplied data is not properly validated before
outputting as html to the end user, resulting in Stored XSS vulnerability.

Testing:

1. Open picture information editing page:

http://localhost/cpg1518/edit_one_pic.php?id=1&what=picture

2. Insert XSS payload below as keywords and click "Apply changes":

"><body onload=javascript:alert(String.fromCharCode(88,83,83))>

After that issue request to view this image:

http://localhost/cpg1518/displayimage.php?pid=1

As result we can observe XSS payload execution.
"""

There is also four different path disclosure vulnerabilities (includes plugins), but I think one CVE-identifier for 
this advisory is enough as these are all in the same version and path disclosure is very low severity.

- Henri Salo


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]