Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 30 Mar 2012 11:36:23 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>
Subject: Re: CVE-request: Coppermine 1.5.18 waraxe-2012-SA#081

On 03/30/2012 01:58 AM, Henri Salo wrote:
> Can I get 2012 CVE-identifier for stored XSS in Coppermine 1.5.18 edit_ont_pic.php keywords.
> 
> ID: waraxe-2012-SA#081
> Original advisory: http://www.waraxe.us/advisory-81.html
> Mailing list post: http://seclists.org/bugtraq/2012/Mar/166
> 
> """
> Reason: failure to sufficiently sanitize user-supplied input data
> Preconditions: privileges needed for picture keywords editing
> 
> Coppermine user with appropriate privileges is able to modify picture information:
> 
> http://localhost/cpg1518/edit_one_pic.php?id=1&what=picture
> 
> There is a field in form named as "Keywords (separate with semicolon)".
> After insertion to database those keywords are later used in html meta section.
> It appears, that specific user supplied data is not properly validated before
> outputting as html to the end user, resulting in Stored XSS vulnerability.
> 
> Testing:
> 
> 1. Open picture information editing page:
> 
> http://localhost/cpg1518/edit_one_pic.php?id=1&what=picture
> 
> 2. Insert XSS payload below as keywords and click "Apply changes":
> 
> "><body onload=javascript:alert(String.fromCharCode(88,83,83))>
> 
> After that issue request to view this image:
> 
> http://localhost/cpg1518/displayimage.php?pid=1
> 
> As result we can observe XSS payload execution.
> """
> 
> There is also four different path disclosure vulnerabilities (includes plugins), but I think one CVE-identifier for this advisory is enough as these are all in the same version and path disclosure is very low severity.
> 
> - Henri Salo

What about the path disclosures?

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ