Multiple vulnerabilities have been discovered in Zenphoto, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct cross-site scripting attacks.

1) Input passed via the "date" parameter to zp-core/zp-extensions/zenpage/admin-news-articles.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) The vulnerability is caused due to the zp-core/admin-upload.php script improperly verifying uploaded files. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script with multiple extensions.

Successful exploitation of this vulnerability needs an admin account with upload privileges.

3) Input passed via the "redirect" parameter to zp-core/zp-extensions/federated_logon/OpenID_logon.php and zp-core/zp-extensions/federated_logon/Verisign_logon.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

4) Input passed via the "folderdisplay" and "albumtitle" parameters to zp-core/admin-upload.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

5) Input passed via the "error" parameter to zp-core/admin-users.php (when "mismatch" is set to "format") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

6) Input passed via the "album" parameter to zp-core/zp-extensions/tiny_mce/plugins/tinyzenpage/tinyzenpage.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

7) Input passed via the "ndeleted" parameter to zp-core/admin-comments.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

8) Input passed via the "data" parameter to zp-core/zp-extensions/GoogleMap/m.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities are confirmed in version 1.4.3.3. Prior versions may also be affected.

Solution
Update to version 1.4.3.4.

Provided and/or discovered by
#1) Scott Herbert.
#2 - #8) Janek Vind "waraxe".

Changelog
Further details available to Secunia VIM customers

Original Advisory
Scott Herbert:
http://scott-herbert.com/blog/2012/10/02/cookie-stealing-and-xss-vulnerable-in-zenphotoversion-1-4-3-2-1130

Janek Vind "waraxe":
http://www.waraxe.us/advisory-96.html

Zenphoto:
http://www.zenphoto.org/news/zenphoto-1.4.3.4

Deep Links
Links available to Secunia VIM customers