Hi,
I sent an email to the programmers explaining the vulnerabilites I found in Zenphoto, some of them could be really dangerous.
I still have no answer. Are you going to fix them?
It would be great if you could fix them before I send a mail to securityfocus.
Thanks!
Interesting - when did you send the email? It does appear that ZP development has slowed, but I should hope security vulnerabilities would be addressed in a timely manner if the project was proceeding at all.
Look like you're doing the right thing by disclosing the vulnerabilities privately, hope you get a response.
I sent it last week to the 4 developers of the project. Still no answer.
I'll leave them some more time, and post the vulnerabilities and the way to fix them (as the project is opensource) if they still don't answer.
These vulnerabilities are critical, better fix them before someone else finds them and exploits them.
Ummm, I think the idea is that he would post the vulnerabilities along with patches. Cross Site Scripting vulnerabilities aren't rocket science to fix -- and they usually aren't rocket science to find either, so it's only a matter of time before someone else finds/exploits/discloses them...
The OP has emailed the developers and now has posted a notice on their support forums. I'd say give them 1-2 weeks, and then disclose along with the patches.
I'll get a bugfix release out this week fixing all the problems mentioned in the email, raphaelh. We have looked them over and discussed them and we think they can be fixed easily.
Sorry for not replying more promptly, but I can speak for both Todd and I in saying Zenphoto has been on the back burner recently.