Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: Zenphoto admin-news-articles.php date parameter XSS
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 11 Oct 2012 11:17:25 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/11/2012 07:58 AM, Henri Salo wrote:
Hello,

Can we assign 2012 CVE-identifier for issue in Zenphoto
zp-core/zp-extensions/zenpage/admin-news-articles.php date
parameter XSS, thanks.

http://osvdb.org/85899 
http://seclists.org/fulldisclosure/2012/Oct/17 
http://secunia.com/advisories/50799/ 
http://scott-herbert.com/blog/2012/10/02/cookie-stealing-and-xss-vulnerable-in-zenphotoversion-1-4-3-2-1130

 Not fixed in 1.4.3.3. Will be fixed in next bugfix release
beginning of November.

Fix in http://www.zenphoto.org/svn/trunk/: 
foo () bar:~/zenphoto/trunk$ svn diff -r10048:10942
zp-core/zp-extensions/zenpage/admin-news-articles.php Index:
zp-core/zp-extensions/zenpage/admin-news-articles.php 
===================================================================


- --- zp-core/zp-extensions/zenpage/admin-news-articles.php   (revision
10048)
+++ zp-core/zp-extensions/zenpage/admin-news-articles.php
(revision 10942) @@ -109,13 +109,13 @@ <h1><?php echo
gettext('Articles'); ?> <?php if (isset($_GET['category'])) { -
echo "<em>".sanitize($_GET['category']).'</em>'; +
echo "<em>".html_encode(sanitize($_GET['category'])).'</em>'; } if
(isset($_GET['date'])) { -               echo '<em><small>
('.$_GET['date'].')</small></em>'; +               $_zp_post_date =
sanitize($_GET['date']); +               echo '<em><small>
('.html_encode($_zp_post_date).')</small></em>'; // require so the
date dropdown is working set_context(ZP_ZENPAGE_NEWS_DATE); -
$_zp_post_date = sanitize($_GET['date']); } 
if(isset($_GET['published'])) { switch ($_GET['published']) {


- Henri Salo


Please use CVE-2012-4519 for this issue.

P.S. Like /tmp file vulns XSS vulns are really easy to fix especially
in languages like PHP. When you find an XSS in an app please audit the
source code for more since chances are you'll find them (and they'll
get fixed faster).

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQdv8kAAoJEBYNRVNeJnmTj+IP/jOBswf8Z3BU9HAS4FVufqyF
tJYROuMh5cSYImy3Bfv3UMIJTxNNR7MRXswVll32IG7556oF2RF+G9x2haMZeTGm
x0dcBp3XLyR0SwhvS+yGdPGYcD829YJGkPmNqpF7h8ioLFJZ4c0S3p0wCoDMjT5a
SwMwpHkITkqzL3xt0rLMEK8xQpuO75sNfOd4w/f3QlCQTdZ/8NAQGVW6+DGqWxb6
h73Sb7CoTeR/SgpG5vmKIOvsDe//cI6U9Qo6gkhhTquMoAdP0z2g2JYllhr1fb3c
uxzZxy5Bfb4t2h1aiheo7/dutY23qke/gFcddaAZqX5Lg/DLg99UbU102aUIq7WZ
ySb9viaDSiVH68fU5M1dllT/meaV25wJDa9gKftG9cQGZQO8JbYYjGTHxL1kgLJB
GxpMCQ86VqZW8k/XuchJdU7IU25D02jz79ADuV/Esz9jY7yslkNm0x4ivyPh6Peg
RE2vZ4hlQVvg7mKt3r5XxkEfcJpCsPOjMsRHpx6N6f00EP5YJKNJxKFsqv/Uf/d0
zr6SwCBMnnCNDN2v4w+w+M4EQBPjsyk7/OxeNFOmi0Tat+trME6yf4y5HMmLts1X
bdIFPRlWFABCVUPM+RcyqSadwa2yMb9W56rJGvyRFAQFPFl5CxxZdennyUJwI1wo
tNSibkw/Ywe4Ut1tNR8j
=ildI
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]