Zoph Multiple Parameter Cross Site Scripting Vulnerabilities I. BACKGROUND --------------------- "Zoph (Zoph Organizes Photos) is a web based digital image presentation and management system. In other words, a photo album. It is built with PHP, MySQL and Perl." II. VULNERABILITIES --------------------- VUPEN Web Vulnerability Research Team discovered multiple vulnerabilities in Zoph. These issues are caused by input validation errors in various scripts when processing the "user_name", "title", "called", "email", "dob", "middle_name", "last_name", "first_name", "subject", "message", "photographer_id", "person_id", "_random", "_rating-op", "rating", "timestamp" and "_timestamp-op" parameters, which could be exploited to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site. III. AFFECTED PRODUCTS --------------------------- Zoph versions prior to 0.8.0.3 Zoph versions prior to 0.8.1.1 IV. SOLUTION ---------------- Upgrade to Zoph version 0.8.0.3 or 0.8.1.1 : http://www.zoph.org/concrete/index.php/download/ V. CREDIT -------------- These vulnerabilities were discovered by Mohammed Boumediane (VUPEN Security) with help of the VUPEN Web Application Security Scanning (WASS) technology: http://www.vupen.com/english/services/wass-index.php VI. VUPEN Web Application Security Scanner (WASS) ---------------------------------------------------- VUPEN Web Application Security Scanner (WASS) is a SaaS security scanning technology which enables corporations and organizations to identify, track and remediate security vulnerabilities affecting their web sites and web applications, prevent criminals from gaining unauthorized access to sensitive data, and comply with security requirements such as PCI. Read More: http://www.vupen.com/english/services/wass-index.php VII. REFERENCES ---------------------- http://www.vupen.com/english/advisories/2010/1680 http://www.zoph.org/concrete/index.php/news/security-releases-for-zoph/ VIII. DISCLOSURE TIMELINE ----------------------------- 2010-05-05 - Vendor notified 2010-05-30 - Vendor response 2010-07-02 - Coordinated public Disclosure