Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 11 Oct 2012 11:17:25 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>, Scott Herbert <scott.a.herbert@...glemail.com>,
        Malte Müller <info@...tem.de>
Subject: Re: CVE request: Zenphoto admin-news-articles.php
 date parameter XSS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/11/2012 07:58 AM, Henri Salo wrote:
> Hello,
> 
> Can we assign 2012 CVE-identifier for issue in Zenphoto
> zp-core/zp-extensions/zenpage/admin-news-articles.php date
> parameter XSS, thanks.
> 
> http://osvdb.org/85899 
> http://seclists.org/fulldisclosure/2012/Oct/17 
> http://secunia.com/advisories/50799/ 
> http://scott-herbert.com/blog/2012/10/02/cookie-stealing-and-xss-vulnerable-in-zenphotoversion-1-4-3-2-1130
>
>  Not fixed in 1.4.3.3. Will be fixed in next bugfix release
> beginning of November.
> 
> Fix in http://www.zenphoto.org/svn/trunk/: 
> foo@bar:~/zenphoto/trunk$ svn diff -r10048:10942
> zp-core/zp-extensions/zenpage/admin-news-articles.php Index:
> zp-core/zp-extensions/zenpage/admin-news-articles.php 
> ===================================================================
>
> 
- --- zp-core/zp-extensions/zenpage/admin-news-articles.php   (revision
10048)
> +++ zp-core/zp-extensions/zenpage/admin-news-articles.php
> (revision 10942) @@ -109,13 +109,13 @@ <h1><?php echo
> gettext('Articles'); ?> <?php if (isset($_GET['category'])) { -
> echo "<em>".sanitize($_GET['category']).'</em>'; +
> echo "<em>".html_encode(sanitize($_GET['category'])).'</em>'; } if
> (isset($_GET['date'])) { -               echo '<em><small>
> ('.$_GET['date'].')</small></em>'; +               $_zp_post_date =
> sanitize($_GET['date']); +               echo '<em><small>
> ('.html_encode($_zp_post_date).')</small></em>'; // require so the
> date dropdown is working set_context(ZP_ZENPAGE_NEWS_DATE); -
> $_zp_post_date = sanitize($_GET['date']); } 
> if(isset($_GET['published'])) { switch ($_GET['published']) {
> 
> 
> - Henri Salo
> 

Please use CVE-2012-4519 for this issue.

P.S. Like /tmp file vulns XSS vulns are really easy to fix especially
in languages like PHP. When you find an XSS in an app please audit the
source code for more since chances are you'll find them (and they'll
get fixed faster).

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQdv8kAAoJEBYNRVNeJnmTj+IP/jOBswf8Z3BU9HAS4FVufqyF
tJYROuMh5cSYImy3Bfv3UMIJTxNNR7MRXswVll32IG7556oF2RF+G9x2haMZeTGm
x0dcBp3XLyR0SwhvS+yGdPGYcD829YJGkPmNqpF7h8ioLFJZ4c0S3p0wCoDMjT5a
SwMwpHkITkqzL3xt0rLMEK8xQpuO75sNfOd4w/f3QlCQTdZ/8NAQGVW6+DGqWxb6
h73Sb7CoTeR/SgpG5vmKIOvsDe//cI6U9Qo6gkhhTquMoAdP0z2g2JYllhr1fb3c
uxzZxy5Bfb4t2h1aiheo7/dutY23qke/gFcddaAZqX5Lg/DLg99UbU102aUIq7WZ
ySb9viaDSiVH68fU5M1dllT/meaV25wJDa9gKftG9cQGZQO8JbYYjGTHxL1kgLJB
GxpMCQ86VqZW8k/XuchJdU7IU25D02jz79ADuV/Esz9jY7yslkNm0x4ivyPh6Peg
RE2vZ4hlQVvg7mKt3r5XxkEfcJpCsPOjMsRHpx6N6f00EP5YJKNJxKFsqv/Uf/d0
zr6SwCBMnnCNDN2v4w+w+M4EQBPjsyk7/OxeNFOmi0Tat+trME6yf4y5HMmLts1X
bdIFPRlWFABCVUPM+RcyqSadwa2yMb9W56rJGvyRFAQFPFl5CxxZdennyUJwI1wo
tNSibkw/Ywe4Ut1tNR8j
=ildI
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.