Re: Vulnerability in MG2 php based Image Gallery - bypass security, view password protected images

[matthieu.paineauSTOPSPAM@xxxxxxxxxx]

Preben Nyløkken has discovered this vulnerability in MG2, which can be 
exploited by malicious people to conduct script insertion attacks and disclose 
potentially sensitive information.

When adding a comment to an image, input passed to the "name" parameter isn't 
properly sanitised before being used. 
This can be exploited to inject arbitrary HTML and script code, which will be 
executed in a user's browser session in context of an affected site when the 
malicious user data is viewed.

The vulnerabilities have been confirmed in version 0.5.1. Other versions may 
also be affected.


Solution :
// /includes/mg2_functions.php
// Find "function charfix($string) {"
// Replace the entire function by this code :
  function charfix($string) {
    $string = str_replace("*","#",$string);
    $string = str_replace(chr(92).chr(34),""",$string);
    $string = str_replace("\'","'",$string);
    $string = str_replace(chr(34),""",$string);
    $string = htmlspecialchars($string);
    return $string;
  }

//---------
// /index.php
// Find "if ($_REQUEST['action'] == "addcomment"){
// Replace the entire line by this code :
if ($_REQUEST['action'] == "addcomment" && $mg2->showcomments == 1){ 

If your system has been hacked, you should see some 'xxxx.php.comment' or 
'xxx.php' files in the /pictures folder. In this case, clean by deleting all 
"*.php", "*.php.comment", "*.asp" in the /pictures folder