oss-sec mailing list archives
Re: CVE request: piwigo XSS in password.php
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 18 Oct 2012 01:33:30 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/05/2012 10:54 PM, Raphael Geissert wrote:
Hi, A XSS vulnerability has been reported in piwigo's password.php before 2.4.4: http://piwigo.org/bugs/view.php?id=0002750 http://secunia.com/advisories/50510/ However, as stated in the Secunia advisory, the fix does not entirely address the issue. For context, the stripslashes/strip_tags'ed POST variable is included in the template as following: <input type="text" id="username_or_email" name="username_or_email" ... value="{$username_or_email}"> (some parts redacted for clarity) So, two ids are needed. Thanks in advance. Piwigo 2.3.1 also seems to be affected but 2.1.2 doesn't.
Please use: CVE-2012-4525 for piwigo 2.4.3 and earlier XSS in password.php CVE-2012-4526 for piwigo 2.4.4 XSS in password.php (failed fix for 4525 basically). - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQf7DJAAoJEBYNRVNeJnmTCQ0P/ioCdoQLipfBv5kUj7z0Tdjl nX1p8JqrwlC25O49EWzUW58Y2D237tcKRIzgHPeBh6xxvc2FIPQnvNeveM/tfvHR p0y1ZfU4bjhWMlemFeWf1acNzQGxJJWBLfJ3m+KZdET0Jv2IWccsli8T2MKQ6vwt Jw/cTrDpz6VUOyyubxmvrpiq4Pf/wKUnK1pFWmoF0VYud3TjTdAm7PpcKoxXhkdn HvipDT3EEGpIc5swGJOATwteqMLN0eM68EE2d7X7H8aZgfcbeNSwRmbDpfCLGG6s sez8FpNgwUTPnXGK5j5PG8L9oT62TsPbAB1e/yDtoV6vsnh9AD5tz6dI7Qwz+1Wh XFO/8q9o1g0oG7eJqLbLvixP8HrxNpVuNBkalCA01S1IlNHhMsXpI1Bn70u3yk/A os9FHm47yLSb+w6XIUgzo92b32heGkA1RNysDY4tXPKd3otgJxU4JXjMUqSEgBNT wNVBmPzgiC++znKdWKfaUbewv/cTdOKCS1nBQ6p+8t5+npBFWEOsrFLGjNhjxnms 4gJ0iNPnCoZip3PZTEwPW1RrBug4UNNiHIkbJCdyX/TELHo+Xzomfx5lCClbcoCi LkugwvNHVINulvxth7voprQvZLRvNU9l0qe+5r+/dpv1Oai4GJLRCJ0wHHMHRTBN EoW6pLPWhc9vL7Wr5ng+ =It4M -----END PGP SIGNATURE-----
Current thread:
- CVE request: piwigo XSS in password.php Raphael Geissert (Oct 05)
- Re: CVE request: piwigo XSS in password.php Kurt Seifried (Oct 18)