oss-sec mailing list archives
CVE request: pixelpost
From: Raphael Geissert <geissert () debian org>
Date: Thu, 16 Sep 2010 20:29:08 -0500
Hi everyone, Multiple vulnerabilities have been reported against pixelpost: 1) A CSRF vulnerability allows changes to some settings (PoC allows changing the administrator's password.) [1] 2) SQL injection [2] 3) XSS [2] 2) and 3) are from 2009, so I guess we are going to need some help from Steven for those ones. The only information about those is [3] which has some other changes. It also appears to be using PHP_SELF in some places, so that's another XSS vector. Will confirm it later. [1] http://www.exploit-db.com/exploits/15014/ [2] http://www.pixelpost.org/blog/2009/09/02/pixelpost-173-security-update/ [3] http://pastie.textmate.org/616485 Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- CVE request: pixelpost Raphael Geissert (Sep 16)
- Re: CVE request: pixelpost Josh Bressers (Sep 17)
- Re: CVE request: pixelpost Raphael Geissert (Sep 17)