Coppermine Photo Gallery Input Validation Bug in Processing EXIF Meta Data Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1014799 |
|
SecurityTracker URL: http://securitytracker.com/id/1014799
|
|
CVE Reference:
CVE-2005-2676
(Links to External Site)
|
Updated: Jun 8 2008
|
Original Entry Date: Aug 26 2005
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.3.3 and prior versions
|
Description:
A vulnerability was reported in Coppermine Photo Gallery in the processing of EXIF meta data. A remote user can conduct cross-site scripting attacks.
A remote user can create a JPEG image with a specially crafted Exchangeable Image File (EXIF) header. When the target user views the image header data, arbitrary scripting code will be executed by the target user's browser. The code will originate from the site running the Coppermine Photo Gallery software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A demonstration exploit 'Camera Model Tag' value is provided:
<script>alert(document.cookie)</script>
The vendor was notified on August 17, 2005.
|
Impact:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Coppermine Photo Gallery software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
The vendor has issued a fixed version (1.3.4), available at:
http://prdownloads.sourceforge.net/coppermine/cpg1.3.4.zip?download
|
Vendor URL: coppermine.sourceforge.net/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Subject: Multiple PHP Images Galleries EXIF Metadata XSS Vulnerabilities
|
########################################################################
Summary :
A large majority of PHP Images Gallery Technologies now handle the
Exchangeable Image File (EXIF) header of jpeg files. The Exchangeable
Image File (EXIF) format is an international specification that lets
imaging companies encode metadata information into the headers or
application segments of a JPEG file. Unfortunately the metadata gathered
in the EXIF header are not well sanitized when displayed.
########################################################################
Details :
Displaying the EXIF information is a nice feature, and more and more
online gallery try to enable this functionnality to please their users.
The default behavior of all these technologies is not always the same,
in some cases you may have to configure the gallery to display the EXIF
info or install an additionnal tool (jhead for example) to enable the
functionnality.
When, the setup process is done, the EXIF info will be displayed
automatically when clicking on the picture (in rare cases you may have
to request the EXIF info by clicking on an information/exif button).
When displayed, the EXIF information is not sanitized, which makes the
gallery technology vulnerable to cross site scripting attacks.
Vulnerable Systems:
* Coppermine (up to 1.3.3, >= beta 1.4.1 not vulnerable)
==>http://coppermine.sourceforge.net/
* Gallery 1.5.1-RC2 and prior
(in addition the photo description field was vulnerable to XSS)
==>http://gallery.menalto.com/
* phpGraphy (up to version 0.9.9a, >= 0.9.10 not vulnerable)
==>http://phpgraphy.sourceforge.net/
* YaPig 0.95 and prior
==>http://yapig.sourceforge.net/
A large number of galleries are available, if you want to extend the
test panel, try for example :
http://directory.google.com/Top/Computers/Programming/Languages/PHP/Scripts/Image_Galleries/
Commercial technologies are vulnerable too
* PhotoPost PHP Pro (current version)
==> http://www.photopost.com/
After a short survey, it looks like online images galleries as MSN,
YAHOO, ShutterFly, Pixagogo, PictureTrail ... don't provide EXIF
metadata for now. So are not affected by this vulnerability.
Release Date :
August 26, 2005
Severity :
MEDIUM
########################################################################
Example :
Take your favorite picture, and save it in .jpg. Use the EXIF editor of
your choice and edit the Camera Model Tag. Replace the current value by
" <script>alert(document.cookie)</script> ".
Then upload the jpeg file to your favorite Online Gallery and click on
the picture ... XSS.
########################################################################
Vendor Status :
The information has been provided to all concerned Project Managers the
17th of August 2005.
* Coppermine
Update to Coppermine pg1.3.4
http://coppermine-gallery.net/forum/index.php?topic=20933.0
* Gallery
Update to the final release of Gallery 1.5.1.
http://gallery.menalto.com/modules.php?op=modload&name=phpWiki&file=index&pagename=Download
A patch for Gallery 1.5 and a new Debian's Gallery 1.2.5 package have
been released too.
* phpGraphy
Update to version 0.9.10
http://phpgraphy.sourceforge.net/download.php
* YaPig
No answer up to now.
* PhotoPost PHP Pro
On the 22nd of August:
"we'll be issuing an update to PhotoPost today which will sanitize this
data before being displayed"
########################################################################
Credit :
Cedric Cochin, Network Security Expert
Web Site: http://cedri.cc
< cedric.cochin [-at-] gmail .DoT. com >
Currently => SecureScout Product Integration Manager
Previously => netVigilance SecurityWatch Team Manager
Web Site => http://www.securescout.com || http://www.netvigilance.com
Original Advisory link:
http://cedri.cc/advisories/EXIF_XSS.txt
|
|
