SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Singapore Vendors:   singapore.sourceforge.net
Singapore Input Validation Holes Let Remote Authenticated Users Download and Upload Files, Delete Direcctories, and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1012567
SecurityTracker URL:  http://securitytracker.com/id/1012567
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 16 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.9.10
Description:   Tan Chew Keong of SIG^2 reported several vulnerabilities in singapore. A remote user can view files and conduct cross-site scripting attacks. A remote authenticated user can upload files and delete directories.

It is reported that the showThumb() function in 'thumb.php' does not properly validate user-supplied input and lets remote users download arbitrary files with the privileges of the target web service.

It is also reported that the addImage() function in 'admin.class.php' allows a remote authenticated user to upload files containing PHP code. The remote authenticated user can then cause the web server to execute the scripting code.

It is also reported that a remote authenticated user can exploit a directory traversal vulnerability in 'admin.class.php' to delete arbitrary directories with the privileges of the target web service.

A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the singapore software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The vendor was notified on November 17, 2004.

The original advisory is available at:

http://www.security.org.sg/vuln/singapore0910.html

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the singapore software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can view files with the privileges of the target web service.

A remote authenticated user can upload files containing PHP code.

A remote authenticated user can delete directories with the privileges of the target web service.

Solution:   The vendor has released a fixed version (0.9.11), available at:

http://singapore.sourceforge.net/?page=download

Vendor URL:  singapore.sourceforge.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [SIG^2 G-TEC] singapore Image Gallery Web Application v0.9.10 Multiple


SIG^2 Vulnerability Research Advisory

singapore Image Gallery Web Application v0.9.10 Multiple Vulnerabilities

by Tan Chew Keong
Release Date: 16 Dec 2004


ADVISORY URL
http://www.security.org.sg/vuln/singapore0910.html


SUMMARY

singapore (http://singapore.sourceforge.net/) is yet another open source 
PHP based image gallery web application. What makes it different from 
the hundreds of other similar scripts is that it is specifically geared 
towards displaying art in an aesthetically pleasing fashion using a 
clean, uncluttered interface.

Multiple vulnerabilies were found in the image gallery web application 
including arbitrary file download, directory deletion and Cross-Site 
Scripting (XSS).


TESTED SYSTEM

singapore Image Gallery Web Application Version 0.9.10 on English Win2K 
IIS with PHP 4.3.4, 4.3.9

singapore Image Gallery Web Application Version 0.9.10 on Linux 
Apache/1.3.33 PHP/4.3.9


DETAILS

Multiple vulnerabilies were found in the image gallery web application 
including arbitrary file download, directory deletion and Cross-Site 
Scripting (XSS).

1. Insufficient directory traversal check in thumb.php showThumb() 
method may allow arbitrary file download.  This may be exploited to 
download the encrypted password file in /install_dir/data/users.csv.php.

2. Insufficient filename check in admin.class.php addImage() function 
may allow arbitrary file upload.  This may be exploited by a malicious 
logon user to upload arbitrary PHP scripts instead of image files.

3. Insufficient directory traversal check in admin.class.php allows 
deletion of arbitrary directory that the Windows web server has delete 
access to.  On a Windows platform, deletion of arbitrary directories 
that the web server has write access to is possible.

4. Multiple Cross-Site Scripting (XSS) Vulnerabilities


PATCH

Upgrade to version 0.9.11.


DISCLOSURE TIMELINE

17 Nov 04 - Vulnerability Discovered.
17 Nov 04 - Initial Author Notification by Email.
17 Nov 04 - Initial Author Reply.
18 Nov 04 - Second Author Notification.
19 Nov 04 - Received patch from Author, but it does not work.
19 Nov 04 - Informed Author that patch does not work.
30 Nov 04 - Third Author Notification.
03 Dec 04 - Author provided fix.
15 Dec 04 - Author Released Version 0.9.11.
16 Dec 04 - Public Release.


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html

"IT Security...the Gathering. By enthusiasts for enthusiasts."
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC