![]() |
|
Vulnerability in Zenphoto - Printable Version +- ZenphotoCMS Forum (https://forum.zenphoto.org) +-- Forum: Support (https://forum.zenphoto.org/forum-1.html) +--- Forum: General support (https://forum.zenphoto.org/forum-4.html) +--- Thread: Vulnerability in Zenphoto (/thread-2121.html) |
Vulnerability in Zenphoto - Matthijs - 2008-01-23 Since I can't find any contact info and there is no mention of this on the front-page or elsewhere: are the developers and users of Zenphoto aware of the vulnerabilities which can be exploited by malicious people to conduct SQL injection attacks. It's on the secunia site, so in public. Everybody better fix their code! Vulnerability in Zenphoto - acrylian - 2008-01-23 Thanks for reporting. The forum is the right place to contact us. Creating a ticket in the bugtracker would be a good idea for these kind of reports, too. But anyway, for your interesst: The second report I found on the secunia site is stated for zenphoto 1.0.4 to 1.0.6 and to be solved in 1.0.7. Vulnerability in Zenphoto - sbillard - 2008-01-23 Are you concerned about a particular problem? If so, which. So far as I can see on the secunia site, it reports two problems. Neither are currently issues. Vulnerability in Zenphoto - Matthijs - 2008-01-23 I was talking about the rss feed issue. If it' solved in the 1.1.4 nightly, then that's fine. @sbillard: the vulnerability still exists in the 1.1.3 release I downloaded today. Vulnerability in Zenphoto - Matthijs - 2008-01-24 By the way, thanks for the fast responses. If I have some time I'll see if I can find more problems. In rss.php for example, several input variables are used for html output without any escaping (or input validation). $_SERVER["HTTP_HOST"] and albumname for example. A simple htmlentities($var, ENT_QUOTES, 'UTF-8') should be used there. For the HTTP_HOST story, see also http://shiflett.org/blog/2006/mar/server-name-versus-http-host Vulnerability in Zenphoto - trisweb - 2008-01-24 SQL-injection and XSS vulnerabilities fixed in rss.php in SVN and tonight's nightly. Do we have any others? Thanks for the tip on HTTP_HOST. Vulnerability in Zenphoto - jlang - 2008-01-25 I'm impressed that these are being fixed as soon as they are being found. Is there a general strategy for handling potentially unclean data? Vulnerability in Zenphoto - Matthijs - 2008-01-25 It's indeed good these are fixed quickly. But I'm less impressed with the fact that these errors were in the code in the first place. I really don't want to blame anyone or sound too negative, but if you look at the code: These are so obvious and easy to spot. Why have they been overlooked? And what about the possible harder to spot vulnerabilities? I think it would be a lot better to rewrite the code in such a way that there are a few distinct groups of variables. One is raw input (GET, POST, SERVER, etc). The second is a $clean array, only containing validated content. So $clean['somenumericid'] = (int)$_GET['someid'];
$html = array(); $sql = array(); $html['somevar'] = htmlentities($clean['somevar'], ENT_QUOTES, 'UTF-8'); $sql['var'] = mysql_real_escape_string($clean['var']); ` If there's any help needed, I would be willing to help. I use zenphoto and it's a great piece of software and I'm thankful to the developers who have put a lot of work in it. Vulnerability in Zenphoto - acrylian - 2008-01-25 Well, I feel indeed a little blamed since I made this feed (although based on the work of others). These issues were not that obvious for me and I never heard of Chris Shifflet. But I am not a security expert and my roots are in design and not programming. But I can learn from mistakes. If you look at the new rss code in the nightly, we use already existing functions called sanitize and sanitize_numeric to validate the input now. You find them in zp-core/functions.php if you want to take a look at their code. So if you have the indepth knowledge, the time to help you are welcome. Create an account on the trac, then you can create tickets and attach fixes if you find anything more. Vulnerability in Zenphoto - Matthijs - 2008-01-25 Hi acrylian, thanks for your reply. Shiflett can be found on http://shiflett.org/. He wrote a very good book on php security. It's quite small and an easy read. Not as in-depth as other books, but it makes the principles very clear. Good for a start. Indeed, I saw that the new rss is updated. However, there is still some un-escaped output ($albumname and $_SERVER["HTTP_HOST"]). Even though $albumname has been "validated" (I haven't looked at the sanitize function yet, so don't know what that does), it still needs escaping. And for the $_SERVER["HTTP_HOST"]: on line 60 further down there is a escaped variable created, $host. If that one is placed earlier in the code and then used in place of the echo'd $_SERVER["HTTP_HOST"] in line 30 that is solved as well. I will create an account on the trac and maybe I'll be able to help. Vulnerability in Zenphoto - acrylian - 2008-01-26 We have fixed the second $_SERVER issue in the svn as you suggested. Vulnerability in Zenphoto - binoyte - 2012-02-09 http://secunia.com/advisories/47875/ There is a new secunia advisory ( 2012-02-09) about vulnerabilty in ZenPhoto. What about ?? The 1.4.2.1 is not a security update. Edit : Sorry I had better to read first before speaking. Vulnerability in Zenphoto - acrylian - 2012-02-09 No problem. Generally we don't always advertise fixed small security issues explicitly, we do only on really severe issue as with 1.4.1.6. It is really recommended to stay tuned! |