Lucene search
+L

invisionGallery.txt

🗓️ 21 Jun 2005 00:00:00Reported by James BercegayType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 25 Views

Invision Gallery community gallery software by Invision Power Services prior to version 1.3.1 contains multiple vulnerabilities. Attackers can perform unauthorized actions and retrieve sensitive data via Cross Site Request Forgery and SQL Injection. Users are advised to upgrade to the latest version

Code
`##########################################################  
# GulfTech Security Research June 9th, 2005  
##########################################################  
# Vendor : Invision Power Services  
# URL : http://www.invisiongallery.com  
# Version : All Versions Prior To 1.3.1  
# Risk : Multiple Vulnerabilities  
##########################################################  
  
  
  
Description:  
Invision Gallery is a community based gallery software that can be  
integrated into Invision Power Board. There are several security  
issues in Invision Gallery that may allow for an attacker to force  
a user into unknowingly / unwillingly perform actions on behalf of an  
attacker, or an attacker may influence SQL queries and retrieve  
sensitive information contained within the underlying database. An  
upgrade has been released for several weeks now and all users should  
upgrade their gallery installations as soon as possible.  
  
  
  
Cross Site Request Forgery:  
The proper precautions are not taken when dealing with certain actions,  
and as a result an attacker can force a user to delete images, and albums  
by having them simply follow a malicious link, or by including the link in  
an embedded tag such as img or iframe.  
  
http://localhost/index.php?act=module&module=gallery&cmd=albums&op=del&album=2  
http://localhost/index.php?act=module&module=gallery&cmd=delimg&img=2  
  
The above links could be used to effectively delete an album and an image.  
This issue arises as a result of not properly adhering to RFC 2616 9.1.1  
  
  
  
SQL Injection:  
There are a couple of SQL Injection issues in Invision Gallery. The first  
vulnerability I will talk about presents itself when editing comments.  
  
http://localhost/index.php?act=module&module=gallery&cmd=editcomment&comment=  
-99%20UNION%20SELECT%200,0,0,0,0,0,0,0,0,name,0,0,0%20FROM%20ibf_members%20  
WHERE%201/*&img=1  
  
The above example will select a users name from the database, but this could  
just as easily be a password hash. The other SQL Injection issue is pretty  
dangerous and presents itself when voting on a photo. Basically an attacker  
may include arbitrary SQL statements instead of a rating, and influence an  
UPDATE query which can be very dangerous.  
  
  
  
Solution:  
Updated version of the Invision Gallery software have been available for  
many weeks now. Users should upgrade as soon as possible. Special thanks  
to the guys at Invision for fixing these issues so quickly :)  
  
  
  
Related Info:  
The original advisory can be found at the following location  
http://www.gulftech.org/?node=research&article_id=00079-06092005  
  
  
  
Credits:  
James Bercegay of the GulfTech Security Research Team  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation