Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Singapore Input Validation Holes Let Remote Authenticated Users Download and Upload Files, Delete Direcctories, and Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1012567 |
|
SecurityTracker URL: http://securitytracker.com/id/1012567
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 16 2004
|
Impact:
Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 0.9.10
|
Description:
Tan Chew Keong of SIG^2 reported several vulnerabilities in singapore. A remote user can view files and conduct cross-site scripting attacks. A remote authenticated user can upload files and delete directories.
It is reported that the showThumb() function in 'thumb.php' does not properly validate user-supplied input and lets remote users download arbitrary files with the privileges of the target web service.
It is also reported that the addImage() function in 'admin.class.php' allows a remote authenticated user to upload files containing PHP code. The remote authenticated user can then cause the web server to execute the scripting code.
It is also reported that a remote authenticated user can exploit a directory traversal vulnerability in 'admin.class.php' to delete arbitrary directories with the privileges of the target web service.
A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the singapore software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The vendor was notified on November 17, 2004.
The original advisory is available at:
http://www.security.org.sg/vuln/singapore0910.html
|
Impact:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the singapore software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A remote user can view files with the privileges of the target web service.
A remote authenticated user can upload files containing PHP code.
A remote authenticated user can delete directories with the privileges of the target web service.
|
Solution:
The vendor has released a fixed version (0.9.11), available at:
http://singapore.sourceforge.net/?page=download
|
Vendor URL: singapore.sourceforge.net/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 16 Dec 2004 15:02:18 +0800
Subject: [SIG^2 G-TEC] singapore Image Gallery Web Application v0.9.10 Multiple
|
SIG^2 Vulnerability Research Advisory
singapore Image Gallery Web Application v0.9.10 Multiple Vulnerabilities
by Tan Chew Keong
Release Date: 16 Dec 2004
ADVISORY URL
http://www.security.org.sg/vuln/singapore0910.html
SUMMARY
singapore (http://singapore.sourceforge.net/) is yet another open source
PHP based image gallery web application. What makes it different from
the hundreds of other similar scripts is that it is specifically geared
towards displaying art in an aesthetically pleasing fashion using a
clean, uncluttered interface.
Multiple vulnerabilies were found in the image gallery web application
including arbitrary file download, directory deletion and Cross-Site
Scripting (XSS).
TESTED SYSTEM
singapore Image Gallery Web Application Version 0.9.10 on English Win2K
IIS with PHP 4.3.4, 4.3.9
singapore Image Gallery Web Application Version 0.9.10 on Linux
Apache/1.3.33 PHP/4.3.9
DETAILS
Multiple vulnerabilies were found in the image gallery web application
including arbitrary file download, directory deletion and Cross-Site
Scripting (XSS).
1. Insufficient directory traversal check in thumb.php showThumb()
method may allow arbitrary file download. This may be exploited to
download the encrypted password file in /install_dir/data/users.csv.php.
2. Insufficient filename check in admin.class.php addImage() function
may allow arbitrary file upload. This may be exploited by a malicious
logon user to upload arbitrary PHP scripts instead of image files.
3. Insufficient directory traversal check in admin.class.php allows
deletion of arbitrary directory that the Windows web server has delete
access to. On a Windows platform, deletion of arbitrary directories
that the web server has write access to is possible.
4. Multiple Cross-Site Scripting (XSS) Vulnerabilities
PATCH
Upgrade to version 0.9.11.
DISCLOSURE TIMELINE
17 Nov 04 - Vulnerability Discovered.
17 Nov 04 - Initial Author Notification by Email.
17 Nov 04 - Initial Author Reply.
18 Nov 04 - Second Author Notification.
19 Nov 04 - Received patch from Author, but it does not work.
19 Nov 04 - Informed Author that patch does not work.
30 Nov 04 - Third Author Notification.
03 Dec 04 - Author provided fix.
15 Dec 04 - Author Released Version 0.9.11.
16 Dec 04 - Public Release.
GREETINGS
All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html
"IT Security...the Gathering. By enthusiasts for enthusiasts."
|
|
Go to the Top of This SecurityTracker Archive Page
|
