[Fixed]: Cross-Site Scripting (XSS) Vulnerability [Fixed]: Cross-Site Scripting (XSS) Vulnerability
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

[Fixed]: Cross-Site Scripting (XSS) Vulnerability

Started by gsa, April 29, 2009, 12:07:00 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

gsa

Hello,
Accidentally I found one xss in the cpg14x, here you can see the advisory related:

Coppermine Photo Gallery 1.4 Cross-Site Scripting

Author: Gerendi Sandor Attila
Date: April 29, 2009
Package: Coppermine Photo Gallery (cpg14x)
Product homepage: http://coppermine-gallery.net/
Versions Affected: v.1.4 (Other versions may also be affected)
Severity: Medium

Input passed to the 'css' parameter from '/docs/showdoc.php' is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example: http://somehost/docs/showdoc.php?css=1>"><ScRiPt%20%0a%0d>alert(123)%3B</ScRiPt>

Hein Traag

Thanks for reporting this. On which site did you find this news?

gsa

I am sorry, I was not very clear In my statement. I am the discoverer of the flaw and the author of the advisory. It was not published anywhere elsewhere. I may publish it after is fixed on my security blog. Sorry again for my bad English, I wanted just to say the I found the vulnerability accidentally.

gsa

More typo and I can not edit my posts... I am irrecoverable....
Also I wanted to ask for feedback on this bug: reception, acceptation and correction. 

phill104

I think a little more information will be required so we can see exactly how it works and what it does.

If you would like to PM me full info I will pass it onto the rest of the team so we can take a look and check the impact.

Please also tell us what version of coppermine you are using (should be 1.4.21) along with any other info you can provide.
It is a mistake to think you can solve any major problems just with potatoes.

Nibbler

That's enough information already. Should be a simple enough fix. Thanks for notifying us.

Nibbler

To patch this, edit docs/showdoc.php

find


$file = str_replace($forbidden_chars, '', $file);


add


$add_stylesheet = str_replace($forbidden_chars, '', $add_stylesheet);

phill104

Yep, it has taken me a while to work out exactly how it does its stuff. I'm a bit slow with these things sometimes.
It is a mistake to think you can solve any major problems just with potatoes.

Joachim Müller

The advisory should be re-worded with correct reference to the versions. Please use this text:
Quote from: gsa on April 29, 2009, 12:07:00 PM
Coppermine Photo Gallery 1.4.21 Cross-Site Scripting

Author: Gerendi Sandor Attila
Date: April 29, 2009
Package: Coppermine Photo Gallery (cpg1.4.21)
Product homepage: http://coppermine-gallery.net/
Versions Affected: v.1.4.21 (older versions are also affected)
Severity: Medium

Input passed to the 'css' parameter from '/docs/showdoc.php' is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example: http://somehost/docs/showdoc.php?css=1>"><ScRiPt%20%0a%0d>alert(123)%3B</ScRiPt>

We'll come up with a new version asap.

gsa

Quote from: Joachim Müller on April 29, 2009, 10:20:29 PM
The advisory should be re-worded with correct reference to the versions. Please use this text:
We'll come up with a new version asap.

Ok. Thank you.

Joachim Müller

cpg1.4.22 has just been released, see announcement thread cpg1.4.22 Security release - upgrade mandatory!.
Manual fixing instructions have been provided in the announcement thread as well. Please keep this thread here clean and do not reply to it with individual issues. If you have issues with upgrading or if you think that you have found another bug, start a thread of your own on the corresponding support board. Do not hijack this thread, which is meant for communication between Gerendi Sandor Attila and the dev team.