BugTraq
[MajorSecurity #18] Ralf Image Gallery <=0.7.4 - Multiple XSS, Remote File Include and directory traversal vulnerabilities Jun 20 2006 02:32PM
admin majorsecurity de (1 replies)
[MajorSecurity #18] Ralf Image Gallery <= - Multiple XSS, Remote File Include and directory traversal vulnerabilities

----------------------------------------------

Software: RIG[Ralf Image Gallery]

Version: <=0.7.4

Type: Cross site scripting + remote file include + directory traversal

Discovery Date: June, 12th 2006

Made public: June, 20th 2006

Vendor: RIG is developed and maintained by Le R'alf

Page: http://rig.powerpulsar.com/

Rated as: Very high

Credits:

----------------------------------------------

Discovered by: David "Aesthetico" Vieira-Kurz

http://www.majorsecurity.de

Original Advisory:

----------------------------------------------

http://www.majorsecurity.de/advisory/major_rls18.txt

Affected Products:

----------------------------------------------

RIG 0.7.4(unstable) and prior

(http://sourceforge.net/project/showfiles.php?group_id=54367&release_id=
179661)

RIG 0.6.45 and 0.7(stable) and prior

Contacted Vendor:

----------------------------------------------

I have contacted Le R'alf on June, 12th 2006 at 2:37 PM via e-mail, but until today I got no response

and the bug was still not fixed!!!

Description:

----------------------------------------------

RIG (a.k.a. the Ralf Image Gallery) is a web-based image album viewer.

The main application of RIG is a viewer for digital camera albums;

as such it offers specific functionalities like automatic image resizing and handling of dated album names.

Requirements:

----------------------------------------------

register_globals = On

Vulnerability:

----------------------------------------------

check_entry.php:

81: require_once(rig_check_src_file($dir_abs_src . "entry_point.php"));

admin_album.php:

31: require_once($dir_abs_src . "common.php");

32: require_once($dir_abs_admin_src . "admin_util.php");

admin_image.php:

28: require_once($dir_abs_src . "common.php");

29: require_once($dir_abs_admin_src . "admin_util.php");

admin_util.php:

29: require_once($dir_abs_src . "common.php");

Input passed to the "dir_abs_src" parameter in "check_entry.php" and the "dir_abs_admin_src" parameter in

"admin_album.php", "admin_image.php" and "admin_util.php" is not properly verified, before it is used to execute the given arguments.

Vuln 1: Acquiring access to known files outside of the web root and current directory

is possible through directory traversal techniques.

This is made possible through the use of "../../" in a HTTP request.

Vuln 2: This can also be exploited to execute arbitrary HTML and script code in context of an affected site.

Vuln 3: This can also be exploited to include arbitrary files from external and local resources.

Solution:

----------------------------------------------

Replace the vulnerable lines with my fixed lines.

This hotfix does only fix the the files against directory traversal and file include vulnerabilities.

Line 81 in check_entry.php: require_once(rig_check_src_file($dir_abs_src . "entry_point.php"));

MajorSecurity fix option 1: include("entry_point.php");

MajorSecurity fix option 2: require_once(rig_check_src_file("entry_point.php"));

In the others vuln files you need to replace following lines:

28: require_once($dir_abs_src . "common.php");

29: require_once($dir_abs_admin_src . "admin_util.php");

with my fixed lines:

28: require_once("common.php");

29: require_once("admin_util.php");

Solution(Against XSS-attacks):

----------------------------------------------

Edit the source code to ensure that input is properly sanitised.

You should work with "htmlspecialchars()" or "strip_tags()" php-function to ensure that html tags

are not going to be executed.

Example:

<?php

echo htmlspecialchars("<script");

?>

Set "register_globals" to "Off".

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus