forum.coppermine-gallery.net

No Support => General discussion (no support!) => Topic started by: aljareh on June 19, 2006, 05:29:43 pm

Title: Security
Post by: aljareh on June 19, 2006, 05:29:43 pm
ther is alot of xss Cross-Site Scripting i found it in cpg
by this programm it arabic programm
http://www.jaascois.com/software/AntiWebInjection/JAAScoisAWIen.zip
some of xss
http://127.0.0.1/f/misc.php?forget=1&index=1#top<script>alert('hacking%20xss')</script>
http://127.0.0.1/f/forum.php?id=7&show=1&order=1&order_type=DESC#posts_table<script>alert('hacking%20xss')</script>
and  ther alot  of that xss
in cpg
Title: Re: Security
Post by: Sami on June 19, 2006, 05:42:04 pm
there is no misc.php or forum.php file,I think you examined older version or bridge version or totally other program
Title: Re: Security
Post by: Joachim Müller on June 19, 2006, 09:03:40 pm
bmossavari is right: no coppermine version ever contained files named misc.php nor forum.php. As your links point to your local machine, we can't examine any further. Anyway: if your machine can only be accessed locally, why do you worry abot XSS?
If you think you actually found a vulnerability and not some bogus stuff detected by a questionable app that claims to be able to detect XSS vulnerabilities, please post actual details, i.e. vulnerable code snippets that come from coppermine.
As suggested: the "tool" JAAScoisAWIen (http://www.securityfocus.com/tools/3894) is very questionable, as google only contains hits for the website of the company that created the tool. How could an executable that only runs under Windows be a reliable webserver security tool? Looks like a trojan to me.
No offense though, thanks for the report.
Title: Re: Security
Post by: Tarique Sani on June 20, 2006, 06:45:09 am
Atleast post how to verify the attacks - some URLs which we can replicate the attack with (your given URLs are not relevant to Coppermine)
Title: Re: Security
Post by: aljareh on June 20, 2006, 08:41:23 am
bmossavari is right: no coppermine version ever contained files named misc.php nor forum.php. As your links point to your local machine, we can't examine any further. Anyway: if your machine can only be accessed locally, why do you worry abot XSS?
If you think you actually found a vulnerability and not some bogus stuff detected by a questionable app that claims to be able to detect XSS vulnerabilities, please post actual details, i.e. vulnerable code snippets that come from coppermine.
As suggested: the "tool" JAAScoisAWIen (http://www.securityfocus.com/tools/3894) is very questionable, as google only contains hits for the website of the company that created the tool. How could an executable that only runs under Windows be a reliable webserver security tool? Looks like a trojan to me.
No offense though, thanks for the report.
hi but the JAAScoisAWIen (http://www.securityfocus.com/tools/3894) it's not trojan

im sorry this othoer program it's www.mysmartbb.com it's arabic forum programm
but this in cpg 1.4.x
http://coppermine-gallery.net/demo/cpg14x/thumbnails.php?album=<script>alert('hacking%20xss')</script>

http://coppermine-gallery.net/demo/cpg14x/thumbnails.php?album=toprated&amp;amp=&amp;cat=0&amp;4x=&amp;thumbnails_php?album=toprated&amp;amp;cat=0&amp;lang=english<script>alert('hacking%20xss')</script>

http://coppermine-gallery.net/demo/cpg14x/thumbnails.php?album=favpics&amp;4x=&amp;thumbnails_php?album=favpics&amp;lang=spanish<script>alert('hacking%20xss')</script>

http://coppermine-gallery.net/demo/cpg14x/search.php?4x=&amp;search_php=&amp;lang=danish<script>alert('hacking%20xss')</script>

http://coppermine-gallery.net/demo/cpg14x/search.php?4x=&amp;search_php=&amp;lang=korean<script>alert('hacking%20xss')</script>

http://coppermine-gallery.net/demo/cpg14x/search.php?4x=&amp;search_php=&amp;lang=swedish<script>alert('hacking%20xss')</script>

Title: Re: Security
Post by: Sami on June 20, 2006, 08:59:30 am
these are not working !!!!
they all get filtered by gallery :)
every "<" will be come "&lt;" so you will not be able to cross ;)
Title: Re: Security
Post by: Tarique Sani on June 20, 2006, 09:15:12 am
bmossavari is right none of the above result in an XSS