SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Gallery Vendors:   Gallery Project
Gallery Input Validation Hole in Search Feature Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1007318
SecurityTracker URL:  http://securitytracker.com/id/1007318
CVE Reference:   CVE-2003-0614   (Links to External Site)
Updated:  Jul 31 2003
Original Entry Date:  Jul 28 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.1 to 1.3.4
Description:   An input validation vulnerability was reported in Gallery. A remote user can conduct cross-site scripting attacks.

It is reported that the software does not properly filter HTML code from user-supplied input in the caption/description search feature. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Gallery software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

As a demonstration exploit, you can search for the following string:

<script>alert("You are vulnerable")</script>

The vendor reports that the flaw is due to a typographical error in the security code.

The vendor credits Larry Nguyen with reporting the flaw.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Gallery software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has released fixed versions (1.3.4-p1 and 1.3.5), available at:

http://gallery.sourceforge.net/download.php

You can also manually edit the 'search.php' script or remove the search feature, as described in the Source Message.

Vendor URL:  gallery.sourceforge.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 31 2003 (Debian Issues Fix) Gallery Input Validation Hole in Search Feature Permits Cross-Site Scripting Attacks
Debian has released a fix.



 Source Message Contents

Subject:  Gallery XSS security advisory (with fix and patch instructions)


___________________
PROBLEM DESCRIPTION

Gallery is an open source image management system.  Learn more about
it at http://gallery.sourceforge.net

Gallery has a feature that allows users to search their image captions
and descriptions for specific search terms.  A typo in the security code
of this feature permits a cross site scripting bug that can allow 
malicious users to craft a URL such that they can execute javascript
in your browser.

Many thanks to Larry Nguyen for noticing this bug and doing the responsible
thing by bringing it to the attention of the Gallery dev team.  As always,
we react quickly to all notifications about security flaws.

You can reproduce this vulnerability by enabling the search feature on
Gallery and searching for this term:

    <script>alert("You are vulnerable")</script>

If the resulting search page yields a javascript popup, your Gallery should
be patched.

_________________
VERSIONS AFFECTED

This hole affects all Gallery releases from version 1.1 to 1.3.4.  It
has been fixed in Gallery v1.3.4-p1 and the Gallery 1.3.5 development
branch in CVS.  
__________________
FIXING THE PROBLEM

The fix to this problem is very simple.  Pursue one of the following
three options:

1. Upgrade to v1.3.4-p1, available now on the Gallery website:
        http://gallery.sourceforge.net/download.php
   
   We provide a complete release of the code as well as a file that
   contains a patch from 1.3.4 with instructions.

-- or -- 

2. Edit search.php, locate this line:

        $searchString = removeTags($searchstring);

   and replace it with:

        $searchstring = removeTags($searchstring);

-- or --

3.  Delete search.php from your gallery.  This will secure your system but 
    will also break the search feature so you will probably want to edit
    config.php and change this line:
        $gallery->app->default["showSearchEngine"] = "yes";
    to:
        $gallery->app->default["showSearchEngine"] = "no";

regards,
Bharat Mediratta
Gallery developer


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC