Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Vulnerability in MG2 php based Image Gallery - bypass security, view

from [matthieu . paineauSTOPSPAM] Network Security [Permanent Link]
Subject: Re: Vulnerability in MG2 php based Image Gallery - bypass security, view password protected images
Date: 21 Dec 2006 10:28:34 -0000 
Preben Nyløkken has discovered this vulnerability in MG2, which can be 
exploited by malicious people to conduct script insertion attacks and disclose 
potentially sensitive information.

When adding a comment to an image, input passed to the "name" parameter isn't 
properly sanitised before being used. 
This can be exploited to inject arbitrary HTML and script code, which will be 
executed in a user's browser session in context of an affected site when the 
malicious user data is viewed.

The vulnerabilities have been confirmed in version 0.5.1. Other versions may 
also be affected.


Solution :
// /includes/mg2_functions.php
// Find "function charfix($string) {"
// Replace the entire function by this code :
  function charfix($string) {
    $string = str_replace("*","#",$string);
    $string = str_replace(chr(92).chr(34),"&quot;",$string);
    $string = str_replace("\'","'",$string);
    $string = str_replace(chr(34),"&quot;",$string);
    $string = htmlspecialchars($string);
    return $string;
  }

//---------
// /index.php
// Find "if ($_REQUEST['action'] == "addcomment"){
// Replace the entire line by this code :
if ($_REQUEST['action'] == "addcomment" && $mg2->showcomments == 1){ 

If your system has been hacked, you should see some 'xxxx.php.comment' or 
'xxx.php' files in the /pictures folder. In this case, clean by deleting all 
"*.php", "*.php.comment", "*.asp" in the /pictures folder
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: Vulnerability in MG2 php based Image Gallery - bypass security, view password protected images, matthieu . paineauSTOPSPAM <=
Previous by Date:  SQID v0.1 - SQL Inhection Digger., contact
Next by Date:  [TOOL] untidy - XML Fuzzer, Andres Riancho
Previous by Thread:  SQID v0.1 - SQL Inhection Digger., contact
Next by Thread:  [TOOL] untidy - XML Fuzzer, Andres Riancho
Indexes:  [Date] [Thread] [Top] [All Lists]