Open Searchable Image Catalogue: XSS and SQL Injection Vulnerabilities

Type securityvulns
Reporter Securityvulns
Modified 2006-05-31T00:00:00


=========================================================== Open Searchable Image Catalogue: XSS and SQL Injection Vulnerabilities =========================================================== Technical University of Vienna Security Advisory TUVSA-0605-001, May 30, 2006 ===========================================================

Affected applications

Open Searchable Image Catalogue (,

Versions 0.7 and prior.


There are a number of cross site scripting (XSS) vulnerabilities that are caused by the second echo statement in function do_mysql_query (core.php, line 544). If a database query fails for some reason, the query is reflected back to the user. Here are a few points where this situation can be exploited (if register_globals is active and if the current user is logged in as admin):

adminfunctions.php, line 531 http://localhost/osic07/admin.php?action=manageusers&username=neweviluser&password=xyz&confpass=xyz&realname='&type=<script>alert('hi')</script>

adminfunctions.php, line 561 http://localhost/osic07/admin.php?action=manageusers&id=777&username=neweviluser&password=xyz&confpass=xyz&realname='&type=<script>alert('hi')</script>

editcatalogue.php, line 523 http://localhost/osic07/admin.php?action=editcatalogue&op=additems&catalogue_id='<script>alert('hi')</script>&uploaded=true&submit=true&AddRemaining=true [there has to be at least one file with a valid extension in the uploads directory]

editcatalogue.php, line 581 http://localhost/osic07/admin.php?action=editcatalogue&op=additems&catalogue_id=777&uploaded=true&submit=true&catalogue_id='<script>alert('hi')</script>

The above vulnerabilities are also SQL Injection vulnerabilities.

Some analogous cases in search.php:

search.php, line 120: The $query variable can contain malicious user input due to the assignments on lines 90-112.

search.php, line 152: $cf_query is tainted by $cfid, which is tainted by $tempCustomFieldID, which is tainted by $HTTP_POST_VARS (line 138).

search.php, lines 243-250: There are calls to getValueFromID with $item_list as parameter, which can be controlled by an attacker.


The authors have responded to our message quickly and have released version, which fixes the above issues.


March 30, 2006: - Vulnerabilities reported to Chris Goerner. - Response and release of fixed version. - Advisory submission.


Nenad Jovanovic Secure Systems Lab Technical University of Vienna