Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Multiple PHP Images Galleries EXIF Metadata XSS Vulnerabilities

from [Cedric Cochin] Network Security [Permanent Link]
Subject: Multiple PHP Images Galleries EXIF Metadata XSS Vulnerabilities
Date: Thu, 25 Aug 2005 22:36:13 -0700 
    Multiple PHP Images Galleries EXIF Metadata XSS Vulnerabilities

########################################################################
Summary :

A  large majority  of PHP  Images Gallery  Technologies now  handle  the
Exchangeable Image File  (EXIF) header of  jpeg files. The  Exchangeable
Image File  (EXIF) format  is an  international specification  that lets
imaging  companies  encode  metadata  information  into  the  headers or
application segments of a JPEG file. Unfortunately the metadata gathered
in the EXIF header are not well sanitized when displayed.

########################################################################
Details :

Displaying the  EXIF information  is a  nice feature,  and more and more
online gallery try to enable this functionnality to please their  users.
The default behavior of all  these technologies is not always  the same,
in some cases you may have to configure the gallery to display the  EXIF
info or install  an additionnal tool  (jhead for example)  to enable the
functionnality.

When,  the  setup process  is  done, the  EXIF  info will  be  displayed
automatically when clicking on the  picture (in rare cases you  may have
to request the EXIF info by clicking on an information/exif button).

When displayed, the EXIF information  is not sanitized, which makes  the
gallery technology vulnerable to cross site scripting attacks.

Vulnerable Systems:

* Coppermine (up to 1.3.3, >= beta 1.4.1 not vulnerable)
==>http://coppermine.sourceforge.net/

* Gallery 1.5.1-RC2 and prior
(in addition the photo description field was vulnerable to XSS)
==>http://gallery.menalto.com/

* phpGraphy (up to version 0.9.9a, >= 0.9.10 not vulnerable)
==>http://phpgraphy.sourceforge.net/

* YaPig 0.95 and prior
==>http://yapig.sourceforge.net/

A large number  of galleries are  available, if you  want to extend  the
test panel, try for example :
http://directory.google.com/Top/Computers/Programming/Languages/PHP/Scripts/Image_Galleries/

Commercial technologies are vulnerable too

* PhotoPost PHP Pro (current version)
==> http://www.photopost.com/

After a  short survey,  it looks  like online  images galleries  as MSN,
YAHOO,  ShutterFly,  Pixagogo,  PictureTrail  ...  don't  provide   EXIF
metadata for now. So are not affected by this vulnerability.

Release Date :
August 26, 2005

Severity :
MEDIUM

########################################################################
Example :

Take your favorite picture, and save it in .jpg. Use the EXIF editor  of
your choice and edit the Camera Model Tag. Replace the current value  by
" <script>alert(document.cookie)</script> ".

Then upload the jpeg file to  your favorite Online Gallery and click  on
the picture ... XSS.

########################################################################
Vendor Status :

The information has been provided to all concerned Project Managers  the
17th of August 2005.

* Coppermine
Update to Coppermine pg1.3.4
http://coppermine-gallery.net/forum/index.php?topic=20933.0

* Gallery
Update to the final release of Gallery 1.5.1.
http://gallery.menalto.com/modules.php?op=modload&name=phpWiki&file=index&pagename=Download
A patch for Gallery  1.5 and a new  Debian's Gallery 1.2.5 package  have
been released too.

* phpGraphy
Update to version 0.9.10
http://phpgraphy.sourceforge.net/download.php

* YaPig
No answer up to now.

* PhotoPost PHP Pro
On the 22nd of August:
"we'll be issuing an update to PhotoPost today which will sanitize  this
data before being displayed"

########################################################################
Credit :

Cedric Cochin, Network Security Expert
Web Site: http://cedri.cc
< cedric.cochin [-at-] gmail .DoT. com >

Currently  => SecureScout Product Integration Manager
Previously => netVigilance SecurityWatch Team Manager
Web Site   => http://www.securescout.com || http://www.netvigilance.com

Original Advisory link:
http://cedri.cc/advisories/EXIF_XSS.txt
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Multiple PHP Images Galleries EXIF Metadata XSS Vulnerabilities, Cedric Cochin <=
Previous by Date:  Re: unload event in ie/mozilla/opera, Michael Shigorin
Next by Date:  DMA[2005-0826a] - 'Nokia Affix Bluetooth btsrv poor use of popen()', KF (lists)
Previous by Thread:  MDKSA-2005:151 - Updated pcre packages fix integer overflow vulnerability, Mandriva Security Team
Next by Thread:  DMA[2005-0826a] - 'Nokia Affix Bluetooth btsrv poor use of popen()', KF (lists)
Indexes:  [Date] [Thread] [Top] [All Lists]