'Re: [oss-security] CVE-request: Coppermine 1.5.18 waraxe-2012-SA#081'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-request: Coppermine 1.5.18 waraxe-2012-SA#081
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-03-30 17:36:23
Message-ID: 4F75EF17.1080508 () redhat ! com
[Download RAW message or body]

On 03/30/2012 01:58 AM, Henri Salo wrote:
> Can I get 2012 CVE-identifier for stored XSS in Coppermine 1.5.18 edit_ont_pic.php keywords.
> 
> ID: waraxe-2012-SA#081
> Original advisory: http://www.waraxe.us/advisory-81.html
> Mailing list post: http://seclists.org/bugtraq/2012/Mar/166
> 
> """
> Reason: failure to sufficiently sanitize user-supplied input data
> Preconditions: privileges needed for picture keywords editing
> 
> Coppermine user with appropriate privileges is able to modify picture information:
> 
> http://localhost/cpg1518/edit_one_pic.php?id=1&what=picture
> 
> There is a field in form named as "Keywords (separate with semicolon)".
> After insertion to database those keywords are later used in html meta section.
> It appears, that specific user supplied data is not properly validated before
> outputting as html to the end user, resulting in Stored XSS vulnerability.
> 
> Testing:
> 
> 1. Open picture information editing page:
> 
> http://localhost/cpg1518/edit_one_pic.php?id=1&what=picture
> 
> 2. Insert XSS payload below as keywords and click "Apply changes":
> 
> "><body onload=javascript:alert(String.fromCharCode(88,83,83))>
> 
> After that issue request to view this image:
> 
> http://localhost/cpg1518/displayimage.php?pid=1
> 
> As result we can observe XSS payload execution.
> """
> 
> There is also four different path disclosure vulnerabilities (includes plugins), but I think \
> one CVE-identifier for this advisory is enough as these are all in the same version and path \
> disclosure is very low severity. 
> - Henri Salo

What about the path disclosures?

-- 
Kurt Seifried Red Hat Security Response Team (SRT)


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic