[Fixed]: Cross-Site Scripting (XSS) Vulnerability

[gsa]

Hello,
 Accidentally I found one xss in the cpg14x, here you can see the advisory related:

Coppermine Photo Gallery 1.4 Cross-Site Scripting

Author: Gerendi Sandor Attila
Date: April 29, 2009
Package: Coppermine Photo Gallery (cpg14x)
Product homepage: http://coppermine-gallery.net/
Versions Affected: v.1.4 (Other versions may also be affected)
Severity: Medium

Input passed to the 'css' parameter from '/docs/showdoc.php' is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example: http://somehost/docs/showdoc.php?css=1>"><ScRiPt%20%0a%0d>alert(123)%3B</ScRiPt>

[Hein Traag]

Thanks for reporting this. On which site did you find this news?

[gsa]

I am sorry, I was not very clear In my statement. I am the discoverer of the flaw and the author of the advisory. It was not published anywhere elsewhere. I may publish it after is fixed on my security blog. Sorry again for my bad English, I wanted just to say the I found the vulnerability accidentally.

[gsa]

More typo and I can not edit my posts... I am irrecoverable....
Also I wanted to ask for feedback on this bug: reception, acceptation and correction. 

[Phill Luckhurst]

I think a little more information will be required so we can see exactly how it works and what it does.

If you would like to PM me full info I will pass it onto the rest of the team so we can take a look and check the impact.

Please also tell us what version of coppermine you are using (should be 1.4.21) along with any other info you can provide.

[Nibbler]

That's enough information already. Should be a simple enough fix. Thanks for notifying us.

[Nibbler]

To patch this, edit docs/showdoc.php

find

Code:

$file = str_replace($forbidden_chars, '', $file);

add

Code:

$add_stylesheet = str_replace($forbidden_chars, '', $add_stylesheet);

[Phill Luckhurst]

Yep, it has taken me a while to work out exactly how it does its stuff. I'm a bit slow with these things sometimes.

[Joachim Müller]

The advisory should be re-worded with correct reference to the versions. Please use this text:

Coppermine Photo Gallery 1.4.21 Cross-Site Scripting

Author: Gerendi Sandor Attila
Date: April 29, 2009
Package: Coppermine Photo Gallery (cpg1.4.21)
Product homepage: http://coppermine-gallery.net/
Versions Affected: v.1.4.21 (older versions are also affected)
Severity: Medium

Input passed to the 'css' parameter from '/docs/showdoc.php' is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example:

Code:

http://somehost/docs/showdoc.php?css=1>"><ScRiPt%20%0a%0d>alert(123)%3B</ScRiPt>

We'll come up with a new version asap.

[gsa]

The advisory should be re-worded with correct reference to the versions. Please use this text:
We'll come up with a new version asap.

Ok. Thank you.

[Joachim Müller]

cpg1.4.22 has just been released, see announcement thread cpg1.4.22 Security release - upgrade mandatory!.
Manual fixing instructions have been provided in the announcement thread as well. Please keep this thread here clean and do not reply to it with individual issues. If you have issues with upgrading or if you think that you have found another bug, start a thread of your own on the corresponding support board. Do not hijack this thread, which is meant for communication between Gerendi Sandor Attila and the dev team.