EZPhotoSales Multiple Input Validation Vulnerabilities
BID:25323
Info
EZPhotoSales Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 25323 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-4259 CVE-2007-4261 CVE-2007-4262 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 14 2007 12:00AM |
| Updated: | Aug 29 2007 08:02PM |
| Credit: | Seth Fogie is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
EZPhotoSales EZPhotoSales 1.9.3 |
| Not Vulnerable: | |
Discussion
EZPhotoSales Multiple Input Validation Vulnerabilities
EZPhotoSales is prone to multiple input-validation vulnerabilities, including an authentication-bypass issue, multiple information-disclosure issues, an HTML-injection issue, and an arbitrary-file-upload issue. These issues occur because the application fails to properly sanitize user-supplied input and to protect sensitive information.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, execute arbitrary script code in the context of the webserver process, control how the site is rendered to the user, compromise the application, obtain sensitive information, and access or modify data. Successful exploits may facilitate a complete compromise of affected computers.
EZPhotoSales 1.9.3 is reported vulnerable; other versions may also be affected.
EZPhotoSales is prone to multiple input-validation vulnerabilities, including an authentication-bypass issue, multiple information-disclosure issues, an HTML-injection issue, and an arbitrary-file-upload issue. These issues occur because the application fails to properly sanitize user-supplied input and to protect sensitive information.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, execute arbitrary script code in the context of the webserver process, control how the site is rendered to the user, compromise the application, obtain sensitive information, and access or modify data. Successful exploits may facilitate a complete compromise of affected computers.
EZPhotoSales 1.9.3 is reported vulnerable; other versions may also be affected.
Exploit / POC
EZPhotoSales Multiple Input Validation Vulnerabilities
Attackers can use a browser to exploit these issues.
Attackers can use a browser to exploit these issues.
Solution / Fix
EZPhotoSales Multiple Input Validation Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
References
EZPhotoSales Multiple Input Validation Vulnerabilities
References:
References:
- Airscanner Mobile Security Advisory #07080601: EZPhotoSales 1.9.3 Multiple Vulne (Seth Fogie)
- EZPhotoSales Homepage (EZPhotoSales)