ZenPhoto 1.4.0.3 patched 2011-4-19 x-forwarded-for HTTP Header presisitent XSS

vendor:

Zenphoto

by:

Saif El-Sherei

7.5

CVSS

HIGH

Persistent XSS

CWE

Product Name: Zenphoto

Affected Version From: 1.4.0.3

Affected Version To: 1.4.0.3

Patch Exists: YES

Related CWE: N/A

CPE: a:zenphoto:zenphoto:1.4.0.3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: FF 3.0.15, IE 8

2011

ZenPhoto 1.4.0.3 patched 2011-4-19 x-forwarded-for HTTP Header presisitent XSS

Zenphoto is vulnerable to persistent XSS due to failure to sanitize the 'x-forwarded-for' HTTP header in security logs before being displayed in 'zp-core/admin-logs.php'. This could allow a remote attacker to inject malicious HTML code by altering the 'x-forwarded-for' HTTP header using either an intercepting proxy or manual requests in security logs and attack any user with sufficient privilege to access 'Security-logs', usually appliaction administrators.

Mitigation:

Ensure that all user-supplied input is properly sanitized before being displayed in the security logs.

Source

Exploit-DB raw data:

# Exploit Title: ZenPhoto 1.4.0.3 patched 2011-4-19 x-forwarded-for HTTP
Header presisitent XSS
# Date: 21-4-2011
# Author: Saif El-Sherei
# Software Link: http://zenphoto.googlecode.com/files/zenphoto-1.4.0.3.zip
# Version: 1.4.0.3 latest updated 2011-4-19
# Tested on:FF 3.0.15, IE 8

Info:

Zenphoto is an answer to lots of calls for an online gallery solution that
just makes sense. After years of bloated software that does everything and
your dishes, zenphoto just shows your photos, simply. It's got all the
functionality and "features" you need, and nothing you don't. Where the old
guys put in a bunch of modules and junk, we put a lot of thought. We hope
you agree with our philosopy: simpler is better.

Details:

failure to sanitize "x-forwarded-for" HTTP header in security logs before
being displayed in "zp-core/admin-logs.php", could allow a remote attacker
to inject malicious HTML code by altering the "x-forwarded-for" HTTP header
using either an intercepting proxy or manual requests in security logs and
attack any user with sufficient privilege to access "Security-logs", usually
appliaction administrators by presistent XSS.

POC:

<script>alert('Saif was Here');</script>

Regards,

Saif El-Sherei