Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: [Fixed]: Cross-Site Scripting (XSS) Vulnerability  (Read 51228 times)

0 Members and 1 Guest are viewing this topic.

gsa

  • Coppermine newbie
  • Offline Offline
  • Posts: 4
    • GSASEC
[Fixed]: Cross-Site Scripting (XSS) Vulnerability
« on: April 29, 2009, 12:07:00 pm »

Hello,
 Accidentally I found one xss in the cpg14x, here you can see the advisory related:

Coppermine Photo Gallery 1.4 Cross-Site Scripting

Author: Gerendi Sandor Attila
Date: April 29, 2009
Package: Coppermine Photo Gallery (cpg14x)
Product homepage: http://coppermine-gallery.net/
Versions Affected: v.1.4 (Other versions may also be affected)
Severity: Medium

Input passed to the 'css' parameter from '/docs/showdoc.php' is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example: http://somehost/docs/showdoc.php?css=1>"><ScRiPt%20%0a%0d>alert(123)%3B</ScRiPt>
« Last Edit: April 30, 2009, 09:44:15 am by Joachim Müller »
Logged

Hein Traag

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: nl
  • Offline Offline
  • Gender: Male
  • Posts: 2166
  • A, B, Cpg
    • Personal website - Spintires.nl
Re: Cross-Site Scripting (XSS) Vulnerability
« Reply #1 on: April 29, 2009, 03:53:24 pm »

Thanks for reporting this. On which site did you find this news?
Logged

gsa

  • Coppermine newbie
  • Offline Offline
  • Posts: 4
    • GSASEC
Re: Cross-Site Scripting (XSS) Vulnerability
« Reply #2 on: April 29, 2009, 07:36:31 pm »

I am sorry, I was not very clear In my statement. I am the discoverer of the flaw and the author of the advisory. It was not published anywhere elsewhere. I may publish it after is fixed on my security blog. Sorry again for my bad English, I wanted just to say the I found the vulnerability accidentally.
Logged

gsa

  • Coppermine newbie
  • Offline Offline
  • Posts: 4
    • GSASEC
Re: Cross-Site Scripting (XSS) Vulnerability
« Reply #3 on: April 29, 2009, 07:50:50 pm »

More typo and I can not edit my posts... I am irrecoverable....
Also I wanted to ask for feedback on this bug: reception, acceptation and correction. 
Logged

phill104

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 4885
    • Windsurf.me
Re: Cross-Site Scripting (XSS) Vulnerability
« Reply #4 on: April 29, 2009, 08:00:00 pm »

I think a little more information will be required so we can see exactly how it works and what it does.

If you would like to PM me full info I will pass it onto the rest of the team so we can take a look and check the impact.

Please also tell us what version of coppermine you are using (should be 1.4.21) along with any other info you can provide.
Logged
It is a mistake to think you can solve any major problems just with potatoes.

Nibbler

  • Guest
Re: Cross-Site Scripting (XSS) Vulnerability
« Reply #5 on: April 29, 2009, 08:18:15 pm »

That's enough information already. Should be a simple enough fix. Thanks for notifying us.
Logged

Nibbler

  • Guest
Re: Cross-Site Scripting (XSS) Vulnerability
« Reply #6 on: April 29, 2009, 08:31:07 pm »

To patch this, edit docs/showdoc.php

find

Code: [Select]
$file = str_replace($forbidden_chars, '', $file);

add

Code: [Select]
$add_stylesheet = str_replace($forbidden_chars, '', $add_stylesheet);
Logged

phill104

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 4885
    • Windsurf.me
Re: Cross-Site Scripting (XSS) Vulnerability
« Reply #7 on: April 29, 2009, 08:46:03 pm »

Yep, it has taken me a while to work out exactly how it does its stuff. I'm a bit slow with these things sometimes.
Logged
It is a mistake to think you can solve any major problems just with potatoes.

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Cross-Site Scripting (XSS) Vulnerability
« Reply #8 on: April 29, 2009, 10:20:29 pm »

The advisory should be re-worded with correct reference to the versions. Please use this text:
Coppermine Photo Gallery 1.4.21 Cross-Site Scripting

Author: Gerendi Sandor Attila
Date: April 29, 2009
Package: Coppermine Photo Gallery (cpg1.4.21)
Product homepage: http://coppermine-gallery.net/
Versions Affected: v.1.4.21 (older versions are also affected)
Severity: Medium

Input passed to the 'css' parameter from '/docs/showdoc.php' is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example:
Code: [Select]
http://somehost/docs/showdoc.php?css=1>"><ScRiPt%20%0a%0d>alert(123)%3B</ScRiPt>

We'll come up with a new version asap.
Logged

gsa

  • Coppermine newbie
  • Offline Offline
  • Posts: 4
    • GSASEC
Re: Cross-Site Scripting (XSS) Vulnerability
« Reply #9 on: April 30, 2009, 09:35:15 am »

The advisory should be re-worded with correct reference to the versions. Please use this text:
We'll come up with a new version asap.

Ok. Thank you.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Cross-Site Scripting (XSS) Vulnerability
« Reply #10 on: April 30, 2009, 09:43:36 am »

cpg1.4.22 has just been released, see announcement thread cpg1.4.22 Security release - upgrade mandatory!.
Manual fixing instructions have been provided in the announcement thread as well. Please keep this thread here clean and do not reply to it with individual issues. If you have issues with upgrading or if you think that you have found another bug, start a thread of your own on the corresponding support board. Do not hijack this thread, which is meant for communication between Gerendi Sandor Attila and the dev team.
Logged
Pages: [1]   Go Up
 

Page created in 0.019 seconds with 20 queries.