[SIG^2 G-TEC] singapore Image Gallery Web Application v0.9.10 Multiple Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [SIG^2 G-TEC] singapore Image Gallery Web Application v0.9.10 Multiple Vulnerabilities
From: <chewkeong@xxxxxxxxxxxxxxx>
Date: 17 Dec 2004 00:19:59 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


SIG^2 Vulnerability Research Advisory

singapore Image Gallery Web Application v0.9.10 Multiple Vulnerabilities

by Tan Chew Keong
Release Date: 16 Dec 2004


ADVISORY URL
http://www.security.org.sg/vuln/singapore0910.html


SUMMARY

singapore (http://singapore.sourceforge.net/) is yet another open source PHP 
based image gallery web application. What makes it different from the hundreds 
of other similar scripts is that it is specifically geared towards displaying 
art in an aesthetically pleasing fashion using a clean, uncluttered interface.

Multiple vulnerabilies were found in the image gallery web application 
including arbitrary file download, directory deletion and Cross-Site Scripting 
(XSS). 


TESTED SYSTEM

singapore Image Gallery Web Application Version 0.9.10 on English Win2K IIS 
with PHP 4.3.4, 4.3.9

singapore Image Gallery Web Application Version 0.9.10 on Linux Apache/1.3.33 
(Unix) PHP/4.3.9

 
DETAILS

Multiple vulnerabilies were found in the image gallery web application 
including arbitrary file download, directory deletion and Cross-Site Scripting 
(XSS).

1. Insufficient directory traversal check in thumb.php showThumb() method may 
allow arbitrary file download.  This may be exploited to download the encrypted 
password file in /install_dir/data/users.csv.php.


2. Insufficient filename check in admin.class.php addImage() function may allow 
arbitrary file upload.  This may be exploited by a malicious logon user to 
upload arbitrary PHP scripts instead of image files.


3. Insufficient directory traversal check in admin.class.php allows deletion of 
arbitrary directory that the Windows web server has delete access to.  On a 
Windows platform, deletion of arbitrary directories that the web server has 
write access to is possible.


4. Multiple Cross-Site Scripting (XSS) Vulnerabilities


PATCH

User are advised to upgrade to version 0.9.11.

 
DISCLOSURE TIMELINE

17 Nov 04 - Vulnerability Discovered.
17 Nov 04 - Initial Author Notification by Email.
17 Nov 04 - Initial Author Reply.
18 Nov 04 - Second Author Notification.
19 Nov 04 - Received patch from Author, but it does not work.
19 Nov 04 - Informed Author that patch does not work.
30 Nov 04 - Third Author Notification.
03 Dec 04 - Author provided fix.
15 Dec 04 - Author Released Version 0.9.11.
16 Dec 04 - Public Release.


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html 

"IT Security...the Gathering. By enthusiasts for enthusiasts."

Prev by Date: Discussion: Microsoft(R) PowerPoint “Action Settings” feature allows invocation of default browser pointed at arbitrary URL.
Next by Date: Re: *nix data wipe tools
Previous by thread: Discussion: Microsoft(R) PowerPoint “Action Settings” feature allows invocation of default browser pointed at arbitrary URL.
Next by thread: [ GLSA 200412-11 ] Cscope: Insecure creation of temporary files
Index(es):
- Date
- Thread