[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE-request: Coppermine 1.5.18 waraxe-2012-SA#081
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2012-03-30 17:36:23
Message-ID: 4F75EF17.1080508 () redhat ! com
[Download RAW message or body]
On 03/30/2012 01:58 AM, Henri Salo wrote:
> Can I get 2012 CVE-identifier for stored XSS in Coppermine 1.5.18 edit_ont_pic.php keywords.
>
> ID: waraxe-2012-SA#081
> Original advisory: http://www.waraxe.us/advisory-81.html
> Mailing list post: http://seclists.org/bugtraq/2012/Mar/166
>
> """
> Reason: failure to sufficiently sanitize user-supplied input data
> Preconditions: privileges needed for picture keywords editing
>
> Coppermine user with appropriate privileges is able to modify picture information:
>
> http://localhost/cpg1518/edit_one_pic.php?id=1&what=picture
>
> There is a field in form named as "Keywords (separate with semicolon)".
> After insertion to database those keywords are later used in html meta section.
> It appears, that specific user supplied data is not properly validated before
> outputting as html to the end user, resulting in Stored XSS vulnerability.
>
> Testing:
>
> 1. Open picture information editing page:
>
> http://localhost/cpg1518/edit_one_pic.php?id=1&what=picture
>
> 2. Insert XSS payload below as keywords and click "Apply changes":
>
> "><body onload=javascript:alert(String.fromCharCode(88,83,83))>
>
> After that issue request to view this image:
>
> http://localhost/cpg1518/displayimage.php?pid=1
>
> As result we can observe XSS payload execution.
> """
>
> There is also four different path disclosure vulnerabilities (includes plugins), but I think \
> one CVE-identifier for this advisory is enough as these are all in the same version and path \
> disclosure is very low severity.
> - Henri Salo
What about the path disclosures?
--
Kurt Seifried Red Hat Security Response Team (SRT)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic