[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <201210052354.25850.geissert@debian.org>
Date: Fri, 5 Oct 2012 23:54:24 -0500
From: Raphael Geissert <geissert@...ian.org>
To: oss-security@...ts.openwall.com
Subject: CVE request: piwigo XSS in password.php
Hi,
A XSS vulnerability has been reported in piwigo's password.php before 2.4.4:
http://piwigo.org/bugs/view.php?id=0002750
http://secunia.com/advisories/50510/
However, as stated in the Secunia advisory, the fix does not entirely address
the issue. For context, the stripslashes/strip_tags'ed POST variable is
included in the template as following:
<input type="text" id="username_or_email" name="username_or_email" ...
value="{$username_or_email}">
(some parts redacted for clarity)
So, two ids are needed. Thanks in advance.
Piwigo 2.3.1 also seems to be affected but 2.1.2 doesn't.
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
