Gallery is still vulnerable to Cross-site Scripting attacks

2005-02-04T00:00:00
ID SECURITYVULNS:DOC:7739
Type securityvulns
Reporter Securityvulns
Modified 2005-02-04T00:00:00

Description

Hello,

After testing out the updates to CVS for Gallery, I realized it is still vulnerable to the cross-site scripting attacks that was mentioned in the first advisory.

The following code was committed to CVS:

/ * Test for relative URL, which we know to be local. If URL contains :// * assume that it's remote and test it against our local full URLs * to ensure security. Don't check for http:// or https:// because * for all we know, someone put their album URL on a gopher server... / if ($return[0] != '/' && strstr($return, '://') !== false) { if (strncmp($return, $gallery->app->photoAlbumURL, strlen($gallery->app->photoAlbumURL) != 0) && strncmp($return, $gallery->app->albumDirURL, strlen($gallery->app->albumDirURL) != 0)) { die(_('Attempted security breach.')); } }

The problem is with the strncmp(). If you look closely you will see that the comparison != 0 occurs inside the strncmp(). On my system this makes strncmp be true and return 0. So the URL is "validated" and continues down the chain giving the same cross-site scripting attack as before. The correct code should be:

/ * Test for relative URL, which we know to be local. If URL contains :// * assume that it's remote and test it against our local full URLs * to ensure security. Don't check for http:// or https:// because * for all we know, someone put their album URL on a gopher server... / if((isset($return)) && ($return[0] != '/') && strstr($return, "://")) { if (strncmp($return, $gallery->app->photoAlbumURL, strlen($gallery->app->photoAlbumURL)) != 0 && strncmp($return, $gallery->app->albumDirURL, strlen($gallery->app->albumDirURL)) != 0) { die(_('Attempted security breach.')); } }

I removed the '!== false' because it is unnecesary in PHP.

The file that this code is taken from is do_command.php

Jon


Jon Keating jon@licq.org ICQ: 16325723 emostar on irc.freenode.net Shizuoka-Ken, Mishima-Shi, JAPAN