Zoph Multiple Parameter Cross Site Scripting Vulnerabilities

2010-07-07T00:00:00
ID SECURITYVULNS:DOC:24180
Type securityvulns
Reporter Securityvulns
Modified 2010-07-07T00:00:00

Description

Zoph Multiple Parameter Cross Site Scripting Vulnerabilities

I. BACKGROUND

"Zoph (Zoph Organizes Photos) is a web based digital image presentation and management system. In other words, a photo album. It is built with PHP, MySQL and Perl."

II. VULNERABILITIES

VUPEN Web Vulnerability Research Team discovered multiple vulnerabilities in Zoph.

These issues are caused by input validation errors in various scripts when processing the "user_name", "title", "called", "email", "dob", "middle_name", "last_name", "first_name", "subject", "message", "photographer_id", "person_id", "_random", "_rating-op", "rating", "timestamp" and "_timestamp-op" parameters, which could be exploited to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.

III. AFFECTED PRODUCTS

Zoph versions prior to 0.8.0.3 Zoph versions prior to 0.8.1.1

IV. SOLUTION

Upgrade to Zoph version 0.8.0.3 or 0.8.1.1 : http://www.zoph.org/concrete/index.php/download/

V. CREDIT

These vulnerabilities were discovered by Mohammed Boumediane (VUPEN Security) with help of the VUPEN Web Application Security Scanning (WASS) technology:

http://www.vupen.com/english/services/wass-index.php

VI. VUPEN Web Application Security Scanner (WASS)

VUPEN Web Application Security Scanner (WASS) is a SaaS security scanning technology which enables corporations and organizations to identify, track and remediate security vulnerabilities affecting their web sites and web applications, prevent criminals from gaining unauthorized access to sensitive data, and comply with security requirements such as PCI.

Read More: http://www.vupen.com/english/services/wass-index.php

VII. REFERENCES

http://www.vupen.com/english/advisories/2010/1680 http://www.zoph.org/concrete/index.php/news/security-releases-for-zoph/

VIII. DISCLOSURE TIMELINE

2010-05-05 - Vendor notified 2010-05-30 - Vendor response 2010-07-02 - Coordinated public Disclosure