|
Message-ID: <5076FF25.1030709@redhat.com> Date: Thu, 11 Oct 2012 11:17:25 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Henri Salo <henri@...v.fi>, Scott Herbert <scott.a.herbert@...glemail.com>, Malte Müller <info@...tem.de> Subject: Re: CVE request: Zenphoto admin-news-articles.php date parameter XSS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/11/2012 07:58 AM, Henri Salo wrote: > Hello, > > Can we assign 2012 CVE-identifier for issue in Zenphoto > zp-core/zp-extensions/zenpage/admin-news-articles.php date > parameter XSS, thanks. > > http://osvdb.org/85899 > http://seclists.org/fulldisclosure/2012/Oct/17 > http://secunia.com/advisories/50799/ > http://scott-herbert.com/blog/2012/10/02/cookie-stealing-and-xss-vulnerable-in-zenphotoversion-1-4-3-2-1130 > > Not fixed in 1.4.3.3. Will be fixed in next bugfix release > beginning of November. > > Fix in http://www.zenphoto.org/svn/trunk/: > foo@bar:~/zenphoto/trunk$ svn diff -r10048:10942 > zp-core/zp-extensions/zenpage/admin-news-articles.php Index: > zp-core/zp-extensions/zenpage/admin-news-articles.php > =================================================================== > > - --- zp-core/zp-extensions/zenpage/admin-news-articles.php (revision 10048) > +++ zp-core/zp-extensions/zenpage/admin-news-articles.php > (revision 10942) @@ -109,13 +109,13 @@ <h1><?php echo > gettext('Articles'); ?> <?php if (isset($_GET['category'])) { - > echo "<em>".sanitize($_GET['category']).'</em>'; + > echo "<em>".html_encode(sanitize($_GET['category'])).'</em>'; } if > (isset($_GET['date'])) { - echo '<em><small> > ('.$_GET['date'].')</small></em>'; + $_zp_post_date = > sanitize($_GET['date']); + echo '<em><small> > ('.html_encode($_zp_post_date).')</small></em>'; // require so the > date dropdown is working set_context(ZP_ZENPAGE_NEWS_DATE); - > $_zp_post_date = sanitize($_GET['date']); } > if(isset($_GET['published'])) { switch ($_GET['published']) { > > > - Henri Salo > Please use CVE-2012-4519 for this issue. P.S. Like /tmp file vulns XSS vulns are really easy to fix especially in languages like PHP. When you find an XSS in an app please audit the source code for more since chances are you'll find them (and they'll get fixed faster). - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQdv8kAAoJEBYNRVNeJnmTj+IP/jOBswf8Z3BU9HAS4FVufqyF tJYROuMh5cSYImy3Bfv3UMIJTxNNR7MRXswVll32IG7556oF2RF+G9x2haMZeTGm x0dcBp3XLyR0SwhvS+yGdPGYcD829YJGkPmNqpF7h8ioLFJZ4c0S3p0wCoDMjT5a SwMwpHkITkqzL3xt0rLMEK8xQpuO75sNfOd4w/f3QlCQTdZ/8NAQGVW6+DGqWxb6 h73Sb7CoTeR/SgpG5vmKIOvsDe//cI6U9Qo6gkhhTquMoAdP0z2g2JYllhr1fb3c uxzZxy5Bfb4t2h1aiheo7/dutY23qke/gFcddaAZqX5Lg/DLg99UbU102aUIq7WZ ySb9viaDSiVH68fU5M1dllT/meaV25wJDa9gKftG9cQGZQO8JbYYjGTHxL1kgLJB GxpMCQ86VqZW8k/XuchJdU7IU25D02jz79ADuV/Esz9jY7yslkNm0x4ivyPh6Peg RE2vZ4hlQVvg7mKt3r5XxkEfcJpCsPOjMsRHpx6N6f00EP5YJKNJxKFsqv/Uf/d0 zr6SwCBMnnCNDN2v4w+w+M4EQBPjsyk7/OxeNFOmi0Tat+trME6yf4y5HMmLts1X bdIFPRlWFABCVUPM+RcyqSadwa2yMb9W56rJGvyRFAQFPFl5CxxZdennyUJwI1wo tNSibkw/Ywe4Ut1tNR8j =ildI -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.