Zenphoto Multiple Security Vulnerabilities
The information has been provided by Janek Vind ‘waraxe’.
* Zenphoto 22.214.171.124
Attackers can exploit these issues to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, obtain sensitive information, bypass certain security restrictions, and spoof an IP address which may lead to a false sense of trust and allow the attacker to perform malicious activities; other attacks may also be possible.
Attackers can the exploit path-disclosure, information-disclosure and SQL-injection issues through a browser. Attackers can exploit the IP address spoofing issue with readily available tools. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI.
The following example URIs and input data are available:
Published: November 05 2012