BugTraq
Gallery XSS security advisory (with fix and patch instructions) Jul 27 2003 11:19PM
Bharat Mediratta (bharat menalto com)
___________________
PROBLEM DESCRIPTION

Gallery is an open source image management system. Learn more about
it at http://gallery.sourceforge.net

Gallery has a feature that allows users to search their image captions
and descriptions for specific search terms. A typo in the security code
of this feature permits a cross site scripting bug that can allow
malicious users to craft a URL such that they can execute javascript
in your browser.

Many thanks to Larry Nguyen for noticing this bug and doing the responsible
thing by bringing it to the attention of the Gallery dev team. As always,
we react quickly to all notifications about security flaws.

You can reproduce this vulnerability by enabling the search feature on
Gallery and searching for this term:

<script>alert("You are vulnerable")</script>

If the resulting search page yields a javascript popup, your Gallery should
be patched.

_________________
VERSIONS AFFECTED

This hole affects all Gallery releases from version 1.1 to 1.3.4. It
has been fixed in Gallery v1.3.4-p1 and the Gallery 1.3.5 development
branch in CVS.
__________________
FIXING THE PROBLEM

The fix to this problem is very simple. Pursue one of the following
three options:

1. Upgrade to v1.3.4-p1, available now on the Gallery website:
http://gallery.sourceforge.net/download.php

We provide a complete release of the code as well as a file that
contains a patch from 1.3.4 with instructions.

-- or --

2. Edit search.php, locate this line:

$searchString = removeTags($searchstring);

and replace it with:

$searchstring = removeTags($searchstring);

-- or --

3. Delete search.php from your gallery. This will secure your system but
will also break the search feature so you will probably want to edit
config.php and change this line:
$gallery->app->default["showSearchEngine"] = "yes";
to:
$gallery->app->default["showSearchEngine"] = "no";

regards,
Bharat Mediratta
Gallery developer

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus