Member
Member
raphaelh   2006-03-28, 15:30
#1

Hi,

I sent an email to the programmers explaining the vulnerabilites I found in Zenphoto, some of them could be really dangerous.

I still have no answer. Are you going to fix them?

It would be great if you could fix them before I send a mail to securityfocus.

Thanks!

Member
Member
dprior   2006-03-29, 04:40
#2

Interesting - when did you send the email? It does appear that ZP development has slowed, but I should hope security vulnerabilities would be addressed in a timely manner if the project was proceeding at all.

Look like you're doing the right thing by disclosing the vulnerabilities privately, hope you get a response.

Member
Member
raphaelh   2006-03-29, 07:13
#3

I sent it last week to the 4 developers of the project. Still no answer.

I'll leave them some more time, and post the vulnerabilities and the way to fix them (as the project is opensource) if they still don't answer.

These vulnerabilities are critical, better fix them before someone else finds them and exploits them.

Member
Member
aitf311   2006-03-30, 02:01
#4

Yea, post them. That always is a sure 100% way to get them fixed. NO! What happens if they arent sure how to fix them just yet?

Member
Member
dprior   2006-03-30, 02:20
#5

Ummm, I think the idea is that he would post the vulnerabilities along with patches. Cross Site Scripting vulnerabilities aren't rocket science to fix -- and they usually aren't rocket science to find either, so it's only a matter of time before someone else finds/exploits/discloses them...

The OP has emailed the developers and now has posted a notice on their support forums. I'd say give them 1-2 weeks, and then disclose along with the patches.

Member
Member
aitf311   2006-03-30, 03:16
#6

Yea, thats a totally different story if the patches are posted with them. I dont know much about php but I am willing to guess that some security issues can be rather difficult to fix, which is where my fear is coming from.

Member
Member
WeiChen   2006-04-01, 03:36
#7

I think it is very easy to fix. Check very input of $_GET['album']. Use function realpath to make sure the $_GET['album'] doesnot contains ../../.. something like that.

Developer
Developer
trisweb   2006-04-01, 19:08
#8

Yes, it is extremely easy to fix, and we would prefer not to have publicity while we find the time to fix them.

Sorry for the delay, but please don't worry.

Developer
Developer
trisweb   2006-04-01, 19:21
#9

I'll get a bugfix release out this week fixing all the problems mentioned in the email, raphaelh. We have looked them over and discussed them and we think they can be fixed easily.

Sorry for not replying more promptly, but I can speak for both Todd and I in saying Zenphoto has been on the back burner recently.

Member
Member
raphaelh   2006-05-29, 17:16
#10

Thanks for correcting the vulnerabilities. I've found 3 more : 2 XSS and 1 full path disclosure.

Just submitted them by mail to the developpers of the project.

Member
Member
raphaelh   2006-05-29, 17:18
#11

I forgot to mention : affecting 1.0.2 beta

Developer
Developer
trisweb   2006-05-30, 08:44
#12

I have emailed you back and I've fixed the vulnarabilities in 1.0.2 in the current SVN code. There will be a bugfix/improvement release 1.0.3 this week including them. Thanks!

  
Powered By MyBB, © 2002-2026 MyBB Group.
Made with by Curves UI.