Contact Us
SECURITY BLOG SECURITY DASHBOARD PARTNERS PRODUCTS SERVICES COMPANY HOME
 
Security Dashboard | US-CERTs | CNet | SecurityFocus | Advisories | Exploits | Threats | Vulnerabilities | Risks
Network Security Consulting Advisories Article

Zenphoto 'x-forwarded-for' Header HTML Injection Vulnerability

http://www.securityfocus.com/bid/47544

Security Info

Bugtraq ID: 47544
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Apr 22 2011 12:00AM
Updated: Apr 22 2011 12:00AM
Credit: Saif El-Sherei
Vulnerable: Zenphoto zenphoto 1.4 3
Not Vulnerable:

Security Discussion

Zenphoto is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Zenphoto 1.4.0.3 is vulnerable; other versions may also be affected.

Proof of Concept and Security Exploits

Attackers can use a browser to exploit this issue.

Security Solution(s)

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

Security References(s)

References:

Contact Us

Security Penetration Testing

Security Questions

Security Dashboard

Emagined Security Blog featuring Dr. Eugene Schultz
Site Updated February 22, 2012
©2000-2012 Emagined Security
All Rights Reserved

Secure Web Programming
by Vizual Services