######################################################################
#
# Singapore Modern Template v1.3.2 <= XSS Vulnerability
#
# Date			: 14-january-2008
# Vendor URL		: http://www.sgal.org
#
# Found By		: Rubén Ventura Piña (Trew)
# Contact Info		: http://trew.icenetx.net
#			  trew.revolution@gmail.com
#			  ICEnetX Team - http://icenetx.net
#
######################################################################
#
#  Greetings oh earthlings: 
#	Ayzax, BRIO, Gaper, (All ICEnetX Team), n3, Tog, ta^3, Paisterist,
#	and to all people who likes H.I.M, lol.
#
#	"Maybe you can't break the system, but you can always hack it."
#
######################################################################
#
## Vulnerability ##
#
# The "modern template" is the DEFAULT style template in the popular
# image gallery "Singapore". A vulnerable version of the modern
# template is included in singapore's latest version (0.10.1).
#
# The following code in templates/moden/header.tpl.php (line 11) can
# be exploited to conduct a XSS attack:
#
# <link rel="alternate" type="application/rss+xml"
# title="'.$sg->pageTitle().'" href="'.$_SERVER["PHP_SELF"]; if
# (isset($_GET["gallery"])) { echo '?gallery='.$_GET["gallery"];} echo
# '&template=rss" />
#
# Input passed to the "gallery" parameter is not properly santised.
# Therefore the following request would result in a XSS flaw:
#
#  http://site.com/[singapore_path]/default.php?gallery="><script>alert(document.cookie);</script>
#
# This way an attacker will be able tu execute arbitrary code in a 
# victim's browser by tricking him to follow a malicious link.
#
## How to fix ##
#
# Change line 11 in "templates/modern/header.tpl.php" to this:
#
# <link rel="alternate" type="application/rss+xml"
# title="'.$sg->pageTitle().'" href="'.$_SERVER["PHP_SELF"]; if
# (isset($_GET["gallery"])) { echo '?gallery='.htmlspecialchars($_GET["gallery"]);} echo '&template=rss" />
#
#
[EOF]