|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[SA19104] Gallery Script Insertion and Session Handling Vulnerabilities
From: Secunia Security Advisories (sec-adv
secunia.com)
Date: Fri Mar 03 2006 - 07:32:04 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
TITLE:
Gallery Script Insertion and Session Handling Vulnerabilities
SECUNIA ADVISORY ID:
SA19104
VERIFY ADVISORY:
http://secunia.com/advisories/19104/
CRITICAL:
Moderately critical
IMPACT:
Security Bypass, Cross Site Scripting, Manipulation of data
WHERE:
From remote
SOFTWARE:
Gallery 2.x
http://secunia.com/product/5879/
DESCRIPTION:
James Bercegay has reported some vulnerabilities in Gallery, which
can be exploited by malicious people to conduct script insertion
attacks and to bypass certain security restrictions.
1) Input passed to "getRemoteHostAddress()" via the X_FORWARDED_FOR
HTTP header isn't properly sanitised before being saved. This can be
exploited to spoof the IP address that is logged when adding comments
in an album, or to execute arbitrary HTML and script code in a user's
browser session in context of an affected website when a malicious
comment is viewed.
2) Input passed in the session id isn't properly sanitised before
being used. This can be exploited to delete arbitrary files
accessible to the web server process.
The vulnerabilities have been reported in version 2 through 2.0.2.
SOLUTION:
Update to version 2.0.3.
http://codex.gallery2.org/index.php/Gallery2:Download
PROVIDED AND/OR DISCOVERED BY:
James Bercegay, GulfTech Security Research Team.
ORIGINAL ADVISORY:
http://gallery.menalto.com/gallery_2.0.3_released
http://www.gulftech.org/?node=research&article_id=00106-03022006
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]