secunia-SelectaPix.txt

`======================================================================  
  
Secunia Research 09/06/2006  
  
- SelectaPix Cross-Site Scripting and SQL Injection Vulnerabilities -  
  
======================================================================  
Table of Contents  
  
Affected Software....................................................1  
Severity.............................................................2  
Vendor's Description of Software.....................................3  
Description of Vulnerabilities.......................................4  
Solution.............................................................5  
Time Table...........................................................6  
Credits..............................................................7  
References...........................................................8  
About Secunia........................................................9  
Verification........................................................10  
  
======================================================================  
1) Affected Software  
  
* SelectaPix 1.31  
  
Prior versions may also be affected.  
  
======================================================================  
2) Severity  
  
Rating: Moderately critical  
Impact: Manipulation of data and cross-site scripting  
Where: Remote  
  
======================================================================  
3) Vendor's Description of Software  
  
SelectaPix is a free (GPL Licence), highly configurable PHP/MySQL   
image gallery system which can be integrated into your existing site   
in minutes. The password-protected admin section allows you to upload   
up to 10 jpeg images in one go, and arrange them into albums and   
sub-albums.  
  
Product link:  
http://www.outofthetrees.co.uk/selectapix/index.php  
  
======================================================================  
4) Description of Vulnerabilities  
  
Secunia Research has discovered some vulnerabilities in SelectaPix,   
which can be exploited by malicious people to conduct   
cross-site scripting and SQL injection attacks.  
  
1) Some input is not properly sanitised before being used in a SQL   
query. This can be exploited to manipulate SQL queries by injecting   
arbitrary SQL code.  
  
Examples:  
http://[host]/view_album.php?albumID=[code]  
http://[host]/popup.php?albumID=2&imageID=[code]  
http://[host]/index.php?albumID=[code]  
* The "username" and "passwd" parameters passed in "admin/member.php".  
  
This can further be exploited to bypass the authentication process and   
access the administration section.  
  
Successful exploitation requires that "magic_quotes_gpc" is disabled   
(except for the "albumID" parameter).  
  
2) Input passed to the "albumID" parameter in "popup.php" and   
"view_album.php" is not properly sanitised before being returned to   
the user. This can be exploited to execute arbitrary HTML and script   
code in a user's browser session in context of an affected site.  
  
The vulnerabilities have been confirmed in version 1.31. Prior   
versions may also be affected.  
  
======================================================================  
5) Solution  
  
Update to version 1.4.  
http://www.outofthetrees.co.uk/selectapix/index.php  
  
======================================================================  
6) Time Table  
  
17/05/2006 - Initial vendor notification.  
31/05/2006 - Vendor confirms vulnerabilities.  
09/06/2006 - Public disclosure.  
  
======================================================================  
7) Credits  
  
Discovered by Andreas Sandblad, Secunia Research.  
  
======================================================================  
8) References  
  
The Common Vulnerabilities and Exposures (CVE) project has assigned   
CVE-2006-2912 (SQL injection) and CVE-2006-2913 (cross-site scripting)  
for the vulnerabilities.  
  
======================================================================  
9) About Secunia  
  
Secunia collects, validates, assesses, and writes advisories regarding  
all the latest software vulnerabilities disclosed to the public. These  
advisories are gathered in a publicly available database at the  
Secunia website:  
  
http://secunia.com/  
  
Secunia offers services to our customers enabling them to receive all  
relevant vulnerability information to their specific system  
configuration.  
  
Secunia offers a FREE mailing list called Secunia Security Advisories:  
  
http://secunia.com/secunia_security_advisories/  
  
======================================================================  
10) Verification  
  
Please verify this advisory by visiting the Secunia website:  
http://secunia.com/secunia_research/2006-39/advisory/  
  
Complete list of vulnerability reports published by Secunia Research:  
http://secunia.com/secunia_research/  
  
======================================================================  
  
  
  
`