Re: CVE request: piwigo XSS in password.php

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/05/2012 10:54 PM, Raphael Geissert wrote:
> Hi,
>
> A XSS vulnerability has been reported in piwigo's password.php
> before 2.4.4: http://piwigo.org/bugs/view.php?id=0002750 
> http://secunia.com/advisories/50510/
>
> However, as stated in the Secunia advisory, the fix does not
> entirely address the issue. For context, the
> stripslashes/strip_tags'ed POST variable is included in the
> template as following: <input type="text" id="username_or_email"
> name="username_or_email" ... value="{$username_or_email}">
>
> (some parts redacted for clarity)
>
> So, two ids are needed. Thanks in advance.
>
> Piwigo 2.3.1 also seems to be affected but 2.1.2 doesn't.

Please use:

CVE-2012-4525 for piwigo 2.4.3 and earlier XSS in password.php

CVE-2012-4526 for piwigo 2.4.4 XSS in password.php (failed fix for
4525 basically).


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQf7DJAAoJEBYNRVNeJnmTCQ0P/ioCdoQLipfBv5kUj7z0Tdjl
nX1p8JqrwlC25O49EWzUW58Y2D237tcKRIzgHPeBh6xxvc2FIPQnvNeveM/tfvHR
p0y1ZfU4bjhWMlemFeWf1acNzQGxJJWBLfJ3m+KZdET0Jv2IWccsli8T2MKQ6vwt
Jw/cTrDpz6VUOyyubxmvrpiq4Pf/wKUnK1pFWmoF0VYud3TjTdAm7PpcKoxXhkdn
HvipDT3EEGpIc5swGJOATwteqMLN0eM68EE2d7X7H8aZgfcbeNSwRmbDpfCLGG6s
sez8FpNgwUTPnXGK5j5PG8L9oT62TsPbAB1e/yDtoV6vsnh9AD5tz6dI7Qwz+1Wh
XFO/8q9o1g0oG7eJqLbLvixP8HrxNpVuNBkalCA01S1IlNHhMsXpI1Bn70u3yk/A
os9FHm47yLSb+w6XIUgzo92b32heGkA1RNysDY4tXPKd3otgJxU4JXjMUqSEgBNT
wNVBmPzgiC++znKdWKfaUbewv/cTdOKCS1nBQ6p+8t5+npBFWEOsrFLGjNhjxnms
4gJ0iNPnCoZip3PZTEwPW1RrBug4UNNiHIkbJCdyX/TELHo+Xzomfx5lCClbcoCi
LkugwvNHVINulvxth7voprQvZLRvNU9l0qe+5r+/dpv1Oai4GJLRCJ0wHHMHRTBN
EoW6pLPWhc9vL7Wr5ng+
=It4M
-----END PGP SIGNATURE-----