11151643 2003-12-30 15:29 +0200 /69 rader/ The-Insider <nuritrv18@bezeqint.net>
Importerad: 2003-12-30 19:35 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30480>
Ärende: Gallery v1.3.3 Cross Site Scripting Vulnerabillity
------------------------------------------------------------
From: "The-Insider" <nuritrv18@bezeqint.net>
To: <bugtraq@securityfocus.com>
Message-ID: <000701c3ced8$ffddf560$1792db3e@fucku>
#######################################################################
Application: Gallery
Vendors:
http://gallery.sourceforge.net
http://gallery.menalto.com
Versions: <= 1.3.3
Platforms: Windows/Unix
Bug: Cross Site Scripting Vulnerabillity
Risk: Low
Exploitation: Remote with browser
Date: 30 Dec 2003
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com
#######################################################################
1) Introduction
2) Bug
3) The Code
#######################################################################
===============
1) Introduction
===============
Gallery 1.3.3 is an automated php Gallery engine. It is quite secure,
and very effective as a web gallery.
#######################################################################
======
2) Bug
======
When the webserver hosting gallery 1.3.3 recieves a "GET
/<galleryfolder>/search.php" it reffers to search.php as it
should. However when searching "<script>alert('XSS')</script>" or
requests "GET
/<galleryfolder>/search.php?searchstring=<script>alert('XSS')</script>"
the server allows an attacker so inject & execute scripts.
#######################################################################
===========
3) The Code
===========
http://<host>/<galleryfolder>/search.php?searchstring=<script>alert('XSS')</
script>
#######################################################################
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Things that are unlikeable, are NOT impossible."
(11151643) /The-Insider <nuritrv18@bezeqint.net>/(Ombruten)
Kommentar i text 11152487 av Bharat Mediratta <bharat@menalto.com>
11152487 2003-12-30 11:55 -0800 /48 rader/ Bharat Mediratta <bharat@menalto.com>
Importerad: 2003-12-30 23:41 av Brevbäraren
Extern mottagare: The-Insider <nuritrv18@bezeqint.net>
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30483>
Kommentar till text 11151643 av The-Insider <nuritrv18@bezeqint.net>
Ärende: Re: Gallery v1.3.3 Cross Site Scripting Vulnerabillity
------------------------------------------------------------
From: "Bharat Mediratta" <bharat@menalto.com>
To: "The-Insider" <nuritrv18@bezeqint.net>,
<bugtraq@securityfocus.com>
Message-ID: <000b01c3cf0e$d9bd9d00$6601a8c0@verity>
From: "The-Insider" <nuritrv18@bezeqint.net>
...
> #######################################################################
>
> Application: Gallery
> Vendors:
> http://gallery.sourceforge.net
> http://gallery.menalto.com
> Versions: <= 1.3.3
> Platforms: Windows/Unix
> Bug: Cross Site Scripting Vulnerabillity
> Risk: Low
> Exploitation: Remote with browser
> Date: 30 Dec 2003
> Author: Rafel Ivgi, The-Insider
> e-mail: the_insider@mail.com
> web: http://theinsider.deep-ice.com
5 points for finding a security flaw. -500 for not contacting us
first, because then we could have told you that this flaw was fixed
in Gallery v1.3.4-pl1, released July 27 2002 and you could have
included that information in your security advisory.
For complete details on the bug and the bug fix, including a patch,
please read this story on our web site:
http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=82
By the way, this bug affects all versions of Gallery from v1.1 to
v1.3.4 so if you're running one of those versions of Gallery we
strongly advise you to either apply the patch in the above news
story, or upgrade to the latest version of Gallery from here:
http://gallery.sf.net/download.php
-Bharat
Gallery Project Lead
(11152487) /Bharat Mediratta <bharat@menalto.com>/(Ombruten)