Zoph is Vulnerable to SQL Injection and XSS Security Flaws
According to researchers at Secunia, Zoph is vulnerable to multiple SQL Injection as well as cross-site scripting attacks. The software, which serves as a digital graphic on the web, is also a management system that is coded with MySQL and PHP.
An attacker could exploit these security flaws within a maliciously designed URL to run code into the Web browser of a victim with respect to the security environment of the Internet site that hosts the flaws, provided the user clicks on the URL.
Through these exploitations, the attacker could capture cookie-based credentials used for authentication, hijack the software, gain access to data or modify it and exploit latent flaws within the main database.
The vulnerabilities affecting Zoph are mainly attributed to unnamed input that is incorrectly changed prior to sending back to the end-user. As a result, there is a risk of the vulnerabilities being abused so that arbitrary Hyper Text Multiple Language (HTML) and script code could be executed into the victim's browser. This happens in relation to the site that is directly affected with the vulnerabilities.
When malicious characters are used to exploit the vulnerabilities, there are high chances that XSS attacks might be launched. Subsequently, if the attacks prove to be successful, then the malicious characters might evade specific computer restrictions and controls that could lead to the total compromise of a user's computer.
Moreover, the vulnerabilities have been described as affecting versions earlier to 0.7.0.6 and with low criticality. Thus, users should ensure that they update their application with the most recent version -v.0.7.0.6. Secunia reports that Zoph's latest versions are unaffected with the vulnerabilities that could lead to privacy problems for users and thereby allow spammers to access the formers private information.
In the meantime, spammers often target websites providing photo-sharing facilities to spread their malicious software or other harmful contents. During 2008, spammers exploited the ImageShack and Picasa websites of Google by posting malevolent flash advertisements that appeared on trustworthy Internet sites and diverted visitors to fake ones.
» SPAMfighter News - 22-07-2009