Secunia Research: SelectaPix Cross-Site Scripting and SQL Injection Vulnerabilities

To: vuln@xxxxxxxxxxx
Subject: Secunia Research: SelectaPix Cross-Site Scripting and SQL Injection Vulnerabilities
From: Secunia Research <remove-vuln@xxxxxxxxxxx>
Date: Fri, 09 Jun 2006 09:31:00 +0200
Cc: bugtraq@xxxxxxxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Secunia
Reply-to: remove-vuln@xxxxxxxxxxx

======================================================================

                     Secunia Research 09/06/2006

 - SelectaPix Cross-Site Scripting and SQL Injection Vulnerabilities -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerabilities.......................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

======================================================================
1) Affected Software

* SelectaPix 1.31

Prior versions may also be affected.

======================================================================
2) Severity

Rating: Moderately critical
Impact: Manipulation of data and cross-site scripting
Where:  Remote

======================================================================
3) Vendor's Description of Software

SelectaPix is a free (GPL Licence), highly configurable PHP/MySQL 
image gallery system which can be integrated into your existing site 
in minutes. The password-protected admin section allows you to upload 
up to 10 jpeg images in one go, and arrange them into albums and 
sub-albums.

Product link:
http://www.outofthetrees.co.uk/selectapix/index.php

======================================================================
4) Description of Vulnerabilities

Secunia Research has discovered some vulnerabilities in SelectaPix, 
which can be exploited by malicious people to conduct 
cross-site scripting and SQL injection attacks.

1) Some input is not properly sanitised before being used in a SQL 
query. This can be exploited to manipulate SQL queries by injecting 
arbitrary SQL code.

Examples:
http://[host]/view_album.php?albumID=[code]
http://[host]/popup.php?albumID=2&imageID=[code]
http://[host]/index.php?albumID=[code]
* The "username" and "passwd" parameters passed in "admin/member.php".

This can further be exploited to bypass the authentication process and 
access the administration section.

Successful exploitation requires that "magic_quotes_gpc" is disabled 
(except for the "albumID" parameter).

2) Input passed to the "albumID" parameter in "popup.php" and 
"view_album.php" is not properly sanitised before being returned to 
the user. This can be exploited to execute arbitrary HTML and script 
code in a user's browser session in context of an affected site.

The vulnerabilities have been confirmed in version 1.31. Prior 
versions may also be affected.

======================================================================
5) Solution

Update to version 1.4.
http://www.outofthetrees.co.uk/selectapix/index.php

======================================================================
6) Time Table

17/05/2006 - Initial vendor notification.
31/05/2006 - Vendor confirms vulnerabilities.
09/06/2006 - Public disclosure.

======================================================================
7) Credits

Discovered by Andreas Sandblad, Secunia Research.

======================================================================
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2006-2912 (SQL injection) and CVE-2006-2913 (cross-site scripting)
for the vulnerabilities.

======================================================================
9) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
10) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2006-39/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

Prev by Date: Re: SSL VPNs and security
Next by Date: Secunia Research: AutoMate unacev2.dll Buffer Overflow Vulnerability
Previous by thread: Docebo Lms 3.0.3, Remote command execution
Next by thread: Secunia Research: AutoMate unacev2.dll Buffer Overflow Vulnerability
Index(es):
- Date
- Thread