Yapig: XSS / Code Injection Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Yapig: XSS / Code Injection Vulnerability
From: enji@xxxxxxxxxxxxxxxxxxxx
Date: 13 Oct 2005 12:04:34 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

===========================================================
Yapig: XSS / Code Injection Vulnerability
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0510-001, October 13, 2005
===========================================================


Affected applications
----------------------

Yapig (yapig.sourceforge.net)

Versions 0.95b and prior.


Description
------------


1.) Stored XSS

An attacker can include malicious JavaScript by posting an image-related 
comment and inserting something like the following into the "Homepage" form 
field:

"><script>alert('hi')</script>

This attack falls under the category of stored cross-site scripting and doesn't 
require the attacker to be logged in.


2.) Reflected XSS

An attacker can include malicious JavaScript by tricking a user into clicking a 
link to the following URL:

    
http://your-server/path-to-yapig/view.php?gid=1&phid=1&img_size=><script>alert('hi')</script>

The fields "your-server" and "path-to-yapig" in the given URL have to be 
adjusted accordingly. The parameters "gid=1" and "phid=1" assume that there 
exist a gallery and a photo with ID 1 and can be adjusted as well.

Moreover, the width of the image being viewed has to be less than $MAX_IMG_SIZE 
(set inside config.php) because otherwise, the vulnerable variable $img_size is 
set to a safe value inside the if-branch on line 120 of view.php. And finally, 
register_globals has to be active.


3.) Code Injection

An attacker can inject arbitrary PHP code into a gallery's "guid_info.php" file 
by tricking the logged-in admin into clicking a link to a page with the 
following contents:

    <form method="post" 
action="http://your-server/path-to-yapig/yapig095b/modify_gallery.php?action=mod_info&amp;gid=1";>
      <input value='TestGallery"; echo "evil' name="title" type="text">
      <input value="TestAuthor" name="author" type="text">
      <input value="TestDate" name="date" type="text"> 
      <input value="" name="dir" type="text">
      <input value="TestDescription" name="desc" type="text">
      <input type="submit">
    </form>

    <script type="text/javascript">
      document.forms[0].submit();
    </script>

As for vulnerability #2, "your-server", "path-to-yapig", "gid" and "phid" can 
be adjusted.

Apart from this, Yapig seems to be susceptible to "Cross-Site Request Forgery" 
(CSRF) attacks in general. However, this problem is not limited to Yapig, but 
affects a large number of comparable web applications available at this time.


Solution
---------

Attempts to contact the authors were not successful until now, so there is no 
official solution available yet.

Timeline:

September 28, 2005: Attempt to contact Yapig developers via "natasab at 
users.sourceforge.net".

October 5, 2005: Attempt to contact Yapig developers via Sourceforge bug 
tracker.

October 13, 2005: Advisory submission.


Nenad Jovanovic
Secure Systems Lab 
Technical University of Vienna 
www.seclab.tuwien.ac.at

Prev by Date: Kerio Personal Firewall and Kerio Server Firewall FWDRV driver Local Denial of Service
Next by Date: [USN-203-1] Abiword vulnerabilities
Previous by thread: Re: [Full-disclosure] Kerio Personal Firewall and Kerio Server Firewall FWDRV driver Local Denial of Service
Next by thread: [USN-203-1] Abiword vulnerabilities
Index(es):
- Date
- Thread