[UNIX] Cross-site Scripting Vulnerability in ImageFolio Image Gallery Software

From: support@securiteam.com
Date: 11/29/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 29 Nov 2002 15:15:42 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Cross-site Scripting Vulnerability in ImageFolio Image Gallery Software
------------------------------------------------------------------------

SUMMARY

 <http://www.imagefolio.com/> ImageFolio is a platform independent,
webserver-based, software product suite that fully automates the process
of viewing, publishing, maintaining, distributing, archiving, and
marketing your web-based multimedia gallery or store. ImageFolio supports
all media types, including images, video, and sound. A vulnerability in
the product allows remote attackers to cause it to display third-party
content.

DETAILS

Vulnerable systems:
 * ImageFolio version 3.0.1

An input validation vulnerability exists in ImageFolio version 3.0.1 and
prior versions. A remote user can conduct cross-site scripting attacks.

The flaw exists in various parameters of the 'nph-build.cgi' admin script
and the 'imageFolio.cgi' script (and possibly others).

A demonstration exploit is provided:
  /cgi-bin/imageFolio.cgi?direct=<script>alert("SecurityHole")</script>

  
/cgi-bin/if/admin/nph-build.cgi?step=<script>alert("SecurityHole")</script>

This vulnerability can be exploited to steal a user's or administrator's
authentication cookies.

Vendor Notification:
Jun 9, 2002 - BizDesign (the vendor) was notified and responded that the
pending version 3.0 will contain a fix.
Aug 23, 2002 - Version 3.0 was released without a fix.
Sep 16, 2002 - Version 3.0.1 was released without a fix.
Nov 13, 2002 - Vendor was reminded and responded that the bug will be
fixed in version 3.1, to be released in the beginning of the week of
November 18.
Nov 27, 2002 - At the time of this report, the fixed version had not been
posted to the vendor's web site.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:smoore.bugtraq@securityglobal.net> Stuart Moore.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages