Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: piwigo XSS in password.php
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 10 Feb 2013 21:49:26 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/09/2013 06:14 PM, Kurt Seifried wrote:
So Henri Salo pointed out that I never assigned a CVE for this:

http://www.openwall.com/lists/oss-security/2012/10/06/2

Which raises a good note: do not be afraid to bug me if some time
goes by without an answer or at least a reply/question.

Hi,

A XSS vulnerability has been reported in piwigo's password.php 
before 2.4.4: http://piwigo.org/bugs/view.php?id=0002750 
http://secunia.com/advisories/50510/

However, as stated in the Secunia advisory, the fix does not 
entirely address the issue. For context, the 
stripslashes/strip_tags'ed POST variable is included in the 
template as following: <input type="text" id="username_or_email" 
name="username_or_email" ... value="{$username_or_email}">

(some parts redacted for clarity)

So, two ids are needed. Thanks in advance.

Piwigo 2.3.1 also seems to be affected but 2.1.2 doesn't.

-- Raphael Geissert - Debian Developer www.debian.org - 
get.debian.net

Please use CVE-2012-6126 for this issue.

Someone (who wishes to remain anonymous, but they rock!) pointed out
that this was already assigned:

http://seclists.org/oss-sec/2012/q4/98

Please REJECT CVE-2012-6126 and use CVE-2012-4525/CVE-2012-4526 as
mentioned above instead. Thanks to my anonymous benefactor.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRGHhVAAoJEBYNRVNeJnmT4wgQAJtQ+ew7WmUw0PWp0UkQ9Tpg
+tf85hIklvunyv88g7i9vh0NtPaP08J4CT8BWDhUMDOkMP72/+30i5gViayO/o3k
FpgXZRnJupMUBe4/nz290xM/mjPomU8VTT7YJHT3Q9+y3rZ/D6SJj2JUs9jkfbD9
ySU8v8l4bEH4NZegU1Xy4L55SaZ7vr9IBJ+V+1PNP/XdgGucIO0Lq6K00vad7QtV
Nh8yUtyXcLv9M3v3UQeRnm912JDjxr50Mw/yNASAcqFYd9UzVUyvhAfcKA1VdFBy
FPBO0ZotylLNyypShptmw3UgMQtrtDIDhdU4yv2nkjz08bipZEQJ5afl7PIUS2Mf
U05HiNIcF5tXESCdEl2N/MW1QTaUs8UZ24snWMbHIfCfdDaAsbnU/xFg8pZrvxRw
/Wg43w1TC9XzO0vSGYKEilh0BTbEpNhjatcqwQ1NYHdVs0CJjt9MX4tVh4P/PFKo
VJIJB3dD0yItNJdzumYQRL2JGmHurRV8TlZ5GXf6nsSZkSd7l3EOdUz+CNSMr4t6
nqxAysO1aP0LsxFyWg26aRvSfir6Q+TUTub0g1u/VySYwgZ4EoE+0IcCZ4SAUX7R
8Af5sqTm38RY0F/4AldsQnbfVDx3HSmSa8MORisWBi5ZeH4yllczr6S5ZQ6/12Wa
iX1Dq3juckHbhicDWiI2
=3Bp6
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]