[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE request: pixelpost
From:       Raphael Geissert <geissert () debian ! org>
Date:       2010-09-17 18:27:55
Message-ID: i70but$vlc$1 () dough ! gmane ! org
[Download RAW message or body]

Raphael Geissert wrote:
> It also appears to be using PHP_SELF in some places, so that's another XSS
> vector. Will confirm it later.

There a few easily-exploitable vectors on the following admin pages:
admin/index.php?view=comments
admin/index.php?view=options
admin/index.php?view=info

E.g.
http://host/pixelpost/admin/index.php/%22%3E%3Cscript%3Ewindow.alert();
%3C/script%3E'%3E%3Cscript%3Ewindow.alert();%3C/script%3E/?view=info


There is also another vector on the feeds generator if a template uses the 
"old" (according to the code) tag <ATOM_AUTODETECT>.
Similarly, if a template uses the <TAG_RSS_LINK> or <TAG_ATOM_LINK> tags 
there's another XSS vector via the tag= GET variable(none of the default 
templates do, in 1.7.1 and 1.7.3.)

There are a few more in other places, but I guess the picture is clear.

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net


[prev in list] [next in list] [prev in thread] [next in thread]