oss-sec mailing list archives

CVE request: pixelpost

From: Raphael Geissert <geissert () debian org>
Date: Thu, 16 Sep 2010 20:29:08 -0500

Hi everyone,

Multiple vulnerabilities have been reported against pixelpost:

1) A CSRF vulnerability allows changes to some settings (PoC allows changing 
the administrator's password.) [1]
2) SQL injection [2]
3) XSS [2]

2) and 3) are from 2009, so I guess we are going to need some help from 
Steven for those ones. The only information about those is [3] which has 
some other changes.

It also appears to be using PHP_SELF in some places, so that's another XSS 
vector. Will confirm it later.

[1] http://www.exploit-db.com/exploits/15014/
[2] http://www.pixelpost.org/blog/2009/09/02/pixelpost-173-security-update/
[3] http://pastie.textmate.org/616485

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Current thread:

CVE request: pixelpost Raphael Geissert (Sep 16)
- Re: CVE request: pixelpost Josh Bressers (Sep 17)
- Re: CVE request: pixelpost Raphael Geissert (Sep 17)