Home General support

Several vulnerabilites found (cross site scripting and full path disclosure)

raphaelh Member
in General support
Hi,

I sent an email to the programmers explaining the vulnerabilites I found in Zenphoto, some of them could be really dangerous.

I still have no answer. Are you going to fix them?

It would be great if you could fix them before I send a mail to securityfocus.

Thanks!

Comments

  • dprior Member
    Interesting - when did you send the email? It does appear that ZP development has slowed, but I should hope security vulnerabilities would be addressed in a timely manner if the project was proceeding at all.

    Look like you're doing the right thing by disclosing the vulnerabilities privately, hope you get a response.
  • raphaelh Member
    I sent it last week to the 4 developers of the project. Still no answer.

    I'll leave them some more time, and post the vulnerabilities and the way to fix them (as the project is opensource) if they still don't answer.

    These vulnerabilities are critical, better fix them before someone else finds them and exploits them.
  • aitf311 Member
    Yea, post them. That always is a sure 100% way to get them fixed. NO! What happens if they arent sure how to fix them just yet?
  • dprior Member
    Ummm, I think the idea is that he would post the vulnerabilities along with patches. Cross Site Scripting vulnerabilities aren't rocket science to fix -- and they usually aren't rocket science to find either, so it's only a matter of time before someone else finds/exploits/discloses them...

    The OP has emailed the developers and now has posted a notice on their support forums. I'd say give them 1-2 weeks, and then disclose along with the patches.
  • aitf311 Member
    Yea, thats a totally different story if the patches are posted with them. I dont know much about php but I am willing to guess that some security issues can be rather difficult to fix, which is where my fear is coming from.
  • WeiChen Member
    I think it is very easy to fix. Check very input of $_GET['album']. Use function realpath to make sure the $_GET['album'] doesnot contains ../../.. something like that.
  • trisweb Administrator
    Yes, it is extremely easy to fix, and we would prefer not to have publicity while we find the time to fix them.

    Sorry for the delay, but please don't worry.
  • trisweb Administrator
    I'll get a bugfix release out this week fixing all the problems mentioned in the email, raphaelh. We have looked them over and discussed them and we think they can be fixed easily.

    Sorry for not replying more promptly, but I can speak for both Todd and I in saying Zenphoto has been on the back burner recently.
  • raphaelh Member
    Thanks for correcting the vulnerabilities. I've found 3 more : 2 XSS and 1 full path disclosure.

    Just submitted them by mail to the developpers of the project.
  • raphaelh Member
    I forgot to mention : affecting 1.0.2 beta
  • trisweb Administrator
    I have emailed you back and I've fixed the vulnarabilities in 1.0.2 in the current SVN code. There will be a bugfix/improvement release 1.0.3 this week including them. Thanks!
Sign In or Register to comment.