103357 – www-apps/coppermine: Photo Gallery EXIF Data Script Insertion

Bug 103357 - www-apps/coppermine: Photo Gallery EXIF Data Script Insertion

Summary: www-apps/coppermine: Photo Gallery EXIF Data Script Insertion

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/16499/
Whiteboard:	~4 [noglsa] DerCorny
Keywords:

Depends on:
Blocks:

Reported:	2005-08-22 11:03 UTC by Jean-François Brunette (RETIRED)
Modified:	2005-08-22 22:06 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-08-22 11:03:50 UTC

Description:
A vulnerability has been reported in Coppermine Photo Gallery, which can be
exploited by malicious people to conduct script insertion attacks.

EXIF data stored in certain image files are not properly sanitised before being
displayed to users. This can be exploited to execute arbitrary script code in a
user's browser session in context of an affected site when malicious EXIF data
are viewed.

The vulnerability has been reported in versions prior to 1.3.4.

Solution:
Update to version 1.3.4.

Comment 1 Stefan Cornelius (RETIRED) gentoo-dev

2005-08-22 11:36:33 UTC

web-apps, please provide an updated ebuild, thanks. was never marked stable, so
this can probably wait until the xmlrpc-2 storm is over.

Comment 2 Renat Lumpau (RETIRED) gentoo-dev

2005-08-22 15:06:27 UTC

bumped

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-08-22 22:06:25 UTC

Thanks Renat.