Security Alert: XSS and MySQL injection flaws

c0bra · March 28th, 2005, 06:11 PM

I've just noticed a security alert that apparently affects all current photopost installations. The alert goes into detail on how to attack/hack our software installations. This doesn't appear to be published on the securityfocus website yet.

Are you aware of this yet Michael? Did hackerscenter contact you about this prior to publishing their findings?

c0bra · March 28th, 2005, 06:13 PM

Here is the advisory:
http://icis.digitalparadox.org/~dcrab/ppgs.txt

Chuck S · March 28th, 2005, 06:14 PM

No one has contacted our main email account on any issues

I know any VALID flaws have been fixed to date.

c0bra · March 28th, 2005, 06:16 PM

This was just released about two hours ago. These look like new findings to me.

Chuck S · March 28th, 2005, 06:24 PM

There have been no reports to our photopost contact email.

Michael P · March 28th, 2005, 08:12 PM

They aren't new; they are rehashed old reports resolved months ago in the 4.8x series. I see nothing new to these issues posted here (in fact, the GulfTech who reported the issues to us months ago took offense to their rehashing of his old info).

WB · March 29th, 2005, 02:25 PM

Michael:

We ran across one in our list as well:

http://secunia.com/advisories/14742/

I think that might be from the same source as mentioned by cobra but JIC can you verify that those aren't new as well?

Thanks.

Michael P · March 29th, 2005, 03:49 PM

Once again, these appear to be rehashed issues with a release that was out for a day or two (5.0) and were quickly fixed. Their report is inaccurate as they are no longer issues with the 5.01 or 5.02 releases.

WB · March 29th, 2005, 03:53 PM

Great, thanks for confirming.