The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Coppermine Photo Gallery Multiple XSS
------------------------------------------------------------------------
SUMMARY
<http://coppermine.sourceforge.net/> Coppermine is an easily set-up,
fast, feature-rich photo gallery script with mySQL database, user
management, private galleries, automatic thumbnail creation, ecard feature
and a template system for easy customization to match the rest of a site.
Most of the parameters that Coppermine Photo Gallery have are not filtered
and can used to preform a cross site scripting attack that allow attackers
to steal cookies and other information from users.
DETAILS
Vulnerable Systems:
* Coppermine version 1.3
Coppermine Photo Gallery does not filter it's parameters, and attacker can
steal information by using the index.php page with the parameter lang.
Proof of Concept:
The following URL can be used to test your environment for the mentioned
vulnerability:
http://localhost/index.php?lang=english%22%3E%3Cscript%3Ealert('Hello
World')%3C/script%3E</I
Another possible Cross Site Scripting is with the page displayimage.php
and the parameter pos.
Proof of Concept:
The following URL can be used to test your environment for the mentioned
vulnerability:
http://localhost/displayimage.php?album=5
&pos=3%22%3E%3Cscript%3Ealert(document)%3C/script%3E
Generally users of Coppermine Gallery can post comments. Remote address
and X-Forwarded-For variables are logged for administrator's eyes.
X-Forwarded-for variable does not pass throw any filtration before logging
into database. User can define/redefine this variable.
Code Snips:
Vulnerable script: include/init.inc.php
if (isset($HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR'])) {
$hdr_ip =
stripslashes($HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR']);
} else {
$hdr_ip = $raw_ip;
}
User with access to comments module can spoof x-forwarded-for variable and
realize an XSS attack (as example to get administrators cookie).
ADDITIONAL INFORMATION
The information has been provided by <mailto:team@ghc.ru> GHC team.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
