Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20120330075804.GA11582@kludge.henri.nerv.fi>
Date: Fri, 30 Mar 2012 10:58:04 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: CVE-request: Coppermine 1.5.18 waraxe-2012-SA#081

Can I get 2012 CVE-identifier for stored XSS in Coppermine 1.5.18 edit_ont_pic.php keywords.

ID: waraxe-2012-SA#081
Original advisory: http://www.waraxe.us/advisory-81.html
Mailing list post: http://seclists.org/bugtraq/2012/Mar/166

"""
Reason: failure to sufficiently sanitize user-supplied input data
Preconditions: privileges needed for picture keywords editing

Coppermine user with appropriate privileges is able to modify picture information:

http://localhost/cpg1518/edit_one_pic.php?id=1&what=picture

There is a field in form named as "Keywords (separate with semicolon)".
After insertion to database those keywords are later used in html meta section.
It appears, that specific user supplied data is not properly validated before
outputting as html to the end user, resulting in Stored XSS vulnerability.

Testing:

1. Open picture information editing page:

http://localhost/cpg1518/edit_one_pic.php?id=1&what=picture

2. Insert XSS payload below as keywords and click "Apply changes":

"><body onload=javascript:alert(String.fromCharCode(88,83,83))>

After that issue request to view this image:

http://localhost/cpg1518/displayimage.php?pid=1

As result we can observe XSS payload execution.
"""

There is also four different path disclosure vulnerabilities (includes plugins), but I think one CVE-identifier for this advisory is enough as these are all in the same version and path disclosure is very low severity.

- Henri Salo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.