Re: Vulnerability in MG2 php based Image Gallery - bypass security, view password protected images
Preben Nyløkken has discovered this vulnerability in MG2, which can be
exploited by malicious people to conduct script insertion attacks and disclose
potentially sensitive information.
When adding a comment to an image, input passed to the "name" parameter isn't
properly sanitised before being used.
This can be exploited to inject arbitrary HTML and script code, which will be
executed in a user's browser session in context of an affected site when the
malicious user data is viewed.
The vulnerabilities have been confirmed in version 0.5.1. Other versions may
also be affected.
Solution :
// /includes/mg2_functions.php
// Find "function charfix($string) {"
// Replace the entire function by this code :
function charfix($string) {
$string = str_replace("*","#",$string);
$string = str_replace(chr(92).chr(34),""",$string);
$string = str_replace("\'","'",$string);
$string = str_replace(chr(34),""",$string);
$string = htmlspecialchars($string);
return $string;
}
//---------
// /index.php
// Find "if ($_REQUEST['action'] == "addcomment"){
// Replace the entire line by this code :
if ($_REQUEST['action'] == "addcomment" && $mg2->showcomments == 1){
If your system has been hacked, you should see some 'xxxx.php.comment' or
'xxx.php' files in the /pictures folder. In this case, clean by deleting all
"*.php", "*.php.comment", "*.asp" in the /pictures folder