Gallery Input Validation Hole in Search Feature Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1007318
|
|
CVE Reference: CAN-2003-0614
(Links to External Site)
|
Updated: Jul 31 2003
|
Original Entry Date: Jul 28 2003
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.1 to 1.3.4
|
Description: An input validation vulnerability was reported in Gallery. A remote user can conduct cross-site scripting attacks.
It is reported that the software does not properly filter HTML code from user-supplied input in the caption/description search feature.
A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be
executed by the target user's browser. The code will originate from the site running the Gallery software and will run in the security
context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies),
if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on
the site acting as the target user.
As a demonstration exploit, you can search for the following string:
<script>alert("You
are vulnerable")</script>
The vendor reports that the flaw is due to a typographical error in the security code.
The vendor
credits Larry Nguyen with reporting the flaw.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
Gallery software, access data recently submitted by the target user via web form to the site, or take actions on the site acting
as the target user.
|
Solution: The vendor has released fixed versions (1.3.4-p1 and 1.3.5), available at:
http://gallery.sourceforge.net/download.php
You
can also manually edit the 'search.php' script or remove the search feature, as described in the Source Message.
|
Vendor URL: gallery.sourceforge.net/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: "Bharat Mediratta" <bharat@menalto.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Sun, 27 Jul 2003 16:19:34 -0700
From: "Bharat Mediratta" <bharat@menalto.com>
Subject: Gallery XSS security advisory (with fix and patch instructions)
|
___________________
PROBLEM DESCRIPTION
Gallery is an open source image management system. Learn more about
it at http://gallery.sourceforge.net
Gallery has a feature that allows users to search their image captions
and descriptions for specific search terms. A typo in the security code
of this feature permits a cross site scripting bug that can allow
malicious users to craft a URL such that they can execute javascript
in your browser.
Many thanks to Larry Nguyen for noticing this bug and doing the responsible
thing by bringing it to the attention of the Gallery dev team. As always,
we react quickly to all notifications about security flaws.
You can reproduce this vulnerability by enabling the search feature on
Gallery and searching for this term:
<script>alert("You are vulnerable")</script>
If the resulting search page yields a javascript popup, your Gallery should
be patched.
_________________
VERSIONS AFFECTED
This hole affects all Gallery releases from version 1.1 to 1.3.4. It
has been fixed in Gallery v1.3.4-p1 and the Gallery 1.3.5 development
branch in CVS.
__________________
FIXING THE PROBLEM
The fix to this problem is very simple. Pursue one of the following
three options:
1. Upgrade to v1.3.4-p1, available now on the Gallery website:
http://gallery.sourceforge.net/download.php
We provide a complete release of the code as well as a file that
contains a patch from 1.3.4 with instructions.
-- or --
2. Edit search.php, locate this line:
$searchString = removeTags($searchstring);
and replace it with:
$searchstring = removeTags($searchstring);
-- or --
3. Delete search.php from your gallery. This will secure your system but
will also break the search feature so you will probably want to edit
config.php and change this line:
$gallery->app->default["showSearchEngine"] = "yes";
to:
$gallery->app->default["showSearchEngine"] = "no";
regards,
Bharat Mediratta
Gallery developer
|
|
