<<< Date Index >>>     <<< Thread Index >>>

[MajorSecurity #18] Ralf Image Gallery <=0.7.4 - Multiple XSS, Remote File Include and directory traversal vulnerabilities



[MajorSecurity #18] Ralf Image Gallery <=  - Multiple XSS, Remote File Include 
and directory traversal vulnerabilities
----------------------------------------------

Software: RIG[Ralf Image Gallery]

Version: <=0.7.4

Type: Cross site scripting + remote file include + directory traversal

Discovery Date: June, 12th 2006
 
Made public: June, 20th 2006 

Vendor: RIG is developed and maintained by Le R'alf

Page: http://rig.powerpulsar.com/

Rated as: Very high


Credits:
----------------------------------------------
Discovered by: David "Aesthetico" Vieira-Kurz
http://www.majorsecurity.de

Original Advisory:
----------------------------------------------
http://www.majorsecurity.de/advisory/major_rls18.txt

Affected Products:
----------------------------------------------
RIG 0.7.4(unstable) and prior
(http://sourceforge.net/project/showfiles.php?group_id=54367&release_id=179661)

RIG 0.6.45 and 0.7(stable) and prior

Contacted Vendor:
----------------------------------------------
I have contacted Le R'alf on June, 12th 2006 at 2:37 PM via e-mail, but until 
today I got no response
and the bug was still not fixed!!!

Description:
----------------------------------------------
RIG (a.k.a. the Ralf Image Gallery) is a web-based image album viewer.
The main application of RIG is a viewer for digital camera albums; 
as such it offers specific functionalities like automatic image resizing and 
handling of dated album names.

Requirements:
----------------------------------------------
register_globals = On

Vulnerability:
----------------------------------------------
check_entry.php:
81: require_once(rig_check_src_file($dir_abs_src . "entry_point.php")); 

admin_album.php:
31: require_once($dir_abs_src       . "common.php");
32: require_once($dir_abs_admin_src . "admin_util.php");

admin_image.php:
28: require_once($dir_abs_src       . "common.php");
29: require_once($dir_abs_admin_src . "admin_util.php");

admin_util.php:
29: require_once($dir_abs_src . "common.php");   

Input passed to the "dir_abs_src" parameter in "check_entry.php" and the 
"dir_abs_admin_src" parameter in 
"admin_album.php", "admin_image.php" and "admin_util.php" is not properly 
verified, before it is used to execute the given arguments.

Vuln 1: Acquiring access to known files outside of the web root and current 
directory
is possible through directory traversal techniques.
This is made possible through the use of "../../" in a HTTP request.

Vuln 2: This can also be exploited to execute arbitrary HTML and script code in 
context of an affected site.

Vuln 3: This can also be exploited to include arbitrary files from external and 
local resources.

Solution:
----------------------------------------------
Replace the vulnerable lines with my fixed lines.
This hotfix does only fix the the files against directory traversal and file 
include vulnerabilities.

Line 81 in check_entry.php: require_once(rig_check_src_file($dir_abs_src . 
"entry_point.php")); 
    
MajorSecurity fix option 1: include("entry_point.php"); 
MajorSecurity fix option 2: 
require_once(rig_check_src_file("entry_point.php")); 

In the others vuln files you need to replace following lines:

28: require_once($dir_abs_src       . "common.php");
29: require_once($dir_abs_admin_src . "admin_util.php");

with my fixed lines:
28: require_once("common.php");
29: require_once("admin_util.php");

Solution(Against XSS-attacks):
----------------------------------------------
Edit the source code to ensure that input is properly sanitised.
You should work with "htmlspecialchars()" or "strip_tags()" php-function to 
ensure that html tags
are not going to be executed.

Example:
<?php
  echo htmlspecialchars("<script");
?>

Set "register_globals" to "Off".