Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE request: piwigo XSS in password.php
From: Raphael Geissert <geissert () debian org>
Date: Fri, 5 Oct 2012 23:54:24 -0500

Hi,

A XSS vulnerability has been reported in piwigo's password.php before 2.4.4:
http://piwigo.org/bugs/view.php?id=0002750
http://secunia.com/advisories/50510/

However, as stated in the Secunia advisory, the fix does not entirely address 
the issue. For context, the stripslashes/strip_tags'ed POST variable is 
included in the template as following:
<input type="text" id="username_or_email" name="username_or_email" ... 
value="{$username_or_email}">

(some parts redacted for clarity)

So, two ids are needed. Thanks in advance.

Piwigo 2.3.1 also seems to be affected but 2.1.2 doesn't.

-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]