`===========================================================
Yapig: XSS / Code Injection Vulnerability
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0510-001, October 13, 2005
===========================================================
Affected applications
----------------------
Yapig (yapig.sourceforge.net)
Versions 0.95b and prior.
Description
------------
1.) Stored XSS
An attacker can include malicious JavaScript by posting an image-related comment and inserting something like the following into the "Homepage" form field:
"><script>alert('hi')</script>
This attack falls under the category of stored cross-site scripting and doesn't require the attacker to be logged in.
2.) Reflected XSS
An attacker can include malicious JavaScript by tricking a user into clicking a link to the following URL:
http://your-server/path-to-yapig/view.php?gid=1&phid=1&img_size=><script>alert('hi')</script>
The fields "your-server" and "path-to-yapig" in the given URL have to be adjusted accordingly. The parameters "gid=1" and "phid=1" assume that there exist a gallery and a photo with ID 1 and can be adjusted as well.
Moreover, the width of the image being viewed has to be less than $MAX_IMG_SIZE (set inside config.php) because otherwise, the vulnerable variable $img_size is set to a safe value inside the if-branch on line 120 of view.php. And finally, register_globals has to be active.
3.) Code Injection
An attacker can inject arbitrary PHP code into a gallery's "guid_info.php" file by tricking the logged-in admin into clicking a link to a page with the following contents:
<form method="post" action="http://your-server/path-to-yapig/yapig095b/modify_gallery.php?action=mod_info&gid=1">
<input value='TestGallery"; echo "evil' name="title" type="text">
<input value="TestAuthor" name="author" type="text">
<input value="TestDate" name="date" type="text">
<input value="" name="dir" type="text">
<input value="TestDescription" name="desc" type="text">
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
As for vulnerability #2, "your-server", "path-to-yapig", "gid" and "phid" can be adjusted.
Apart from this, Yapig seems to be susceptible to "Cross-Site Request Forgery" (CSRF) attacks in general. However, this problem is not limited to Yapig, but affects a large number of comparable web applications available at this time.
Solution
---------
Attempts to contact the authors were not successful until now, so there is no official solution available yet.
Timeline:
September 28, 2005: Attempt to contact Yapig developers via "natasab at users.sourceforge.net".
October 5, 2005: Attempt to contact Yapig developers via Sourceforge bug tracker.
October 13, 2005: Advisory submission.
Nenad Jovanovic
Secure Systems Lab
Technical University of Vienna
www.seclab.tuwien.ac.at
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation