Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 17 Sep 2010 13:27:55 -0500
From: Raphael Geissert <geissert@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: pixelpost

Raphael Geissert wrote:
> It also appears to be using PHP_SELF in some places, so that's another XSS
> vector. Will confirm it later.

There a few easily-exploitable vectors on the following admin pages:
admin/index.php?view=comments
admin/index.php?view=options
admin/index.php?view=info

E.g.
http://host/pixelpost/admin/index.php/%22%3E%3Cscript%3Ewindow.alert();
%3C/script%3E'%3E%3Cscript%3Ewindow.alert();%3C/script%3E/?view=info


There is also another vector on the feeds generator if a template uses the 
"old" (according to the code) tag <ATOM_AUTODETECT>.
Similarly, if a template uses the <TAG_RSS_LINK> or <TAG_ATOM_LINK> tags 
there's another XSS vector via the tag= GET variable(none of the default 
templates do, in 1.7.1 and 1.7.3.)

There are a few more in other places, but I guess the picture is clear.

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.