|
|
[MajorSecurity #18] Ralf Image Gallery <= - Multiple XSS, Remote File Include and directory traversal vulnerabilities=0D
----------------------------------------------=0D
=0D
Software: RIG[Ralf Image Gallery]=0D
=0D
Version: <=0.7.4=0D
=0D
Type: Cross site scripting + remote file include + directory traversal=0D
=0D
Discovery Date: June, 12th 2006=0D
=0D
Made public: June, 20th 2006 =0D
=0D
Vendor: RIG is developed and maintained by Le R'alf=0D
=0D
Page: http://rig.powerpulsar.com/=0D
=0D
Rated as: Very high=0D
=0D
=0D
Credits:=0D
----------------------------------------------=0D
Discovered by: David "Aesthetico" Vieira-Kurz=0D
http://www.majorsecurity.de=0D
=0D
Original Advisory:=0D
----------------------------------------------=0D
http://www.majorsecurity.de/advisory/major_rls18.txt=0D
=0D
Affected Products:=0D
----------------------------------------------=0D
RIG 0.7.4(unstable) and prior=0D
(http://sourceforge.net/project/showfiles.php?group_id=54367&release_id=179661)=0D
=0D
RIG 0.6.45 and 0.7(stable) and prior=0D
=0D
Contacted Vendor:=0D
----------------------------------------------=0D
I have contacted Le R'alf on June, 12th 2006 at 2:37 PM via e-mail, but until today I got no response=0D
and the bug was still not fixed!!!=0D
=0D
Description:=0D
----------------------------------------------=0D
RIG (a.k.a. the Ralf Image Gallery) is a web-based image album viewer.=0D
The main application of RIG is a viewer for digital camera albums; =0D
as such it offers specific functionalities like automatic image resizing and handling of dated album names.=0D
=0D
Requirements:=0D
----------------------------------------------=0D
register_globals = On=0D
=0D
Vulnerability:=0D
----------------------------------------------=0D
check_entry.php:=0D
81: require_once(rig_check_src_file($dir_abs_src . "entry_point.php")); =0D
=0D
admin_album.php:=0D
31: require_once($dir_abs_src . "common.php");=0D
32: require_once($dir_abs_admin_src . "admin_util.php");=0D
=0D
admin_image.php:=0D
28: require_once($dir_abs_src . "common.php");=0D
29: require_once($dir_abs_admin_src . "admin_util.php");=0D
=0D
admin_util.php:=0D
29: require_once($dir_abs_src . "common.php"); =0D
=0D
Input passed to the "dir_abs_src" parameter in "check_entry.php" and the "dir_abs_admin_src" parameter in =0D
"admin_album.php", "admin_image.php" and "admin_util.php" is not properly verified, before it is used to execute the given arguments.=0D
=0D
Vuln 1: Acquiring access to known files outside of the web root and current directory=0D
is possible through directory traversal techniques.=0D
This is made possible through the use of "../../" in a HTTP request.=0D
=0D
Vuln 2: This can also be exploited to execute arbitrary HTML and script code in context of an affected site.=0D
=0D
Vuln 3: This can also be exploited to include arbitrary files from external and local resources.=0D
=0D
Solution:=0D
----------------------------------------------=0D
Replace the vulnerable lines with my fixed lines.=0D
This hotfix does only fix the the files against directory traversal and file include vulnerabilities.=0D
=0D
Line 81 in check_entry.php: require_once(rig_check_src_file($dir_abs_src . "entry_point.php")); =0D
=0D
MajorSecurity fix option 1: include("entry_point.php"); =0D
MajorSecurity fix option 2: require_once(rig_check_src_file("entry_point.php")); =0D
=0D
In the others vuln files you need to replace following lines:=0D
=0D
28: require_once($dir_abs_src . "common.php");=0D
29: require_once($dir_abs_admin_src . "admin_util.php");=0D
=0D
with my fixed lines:=0D
28: require_once("common.php");=0D
29: require_once("admin_util.php");=0D
=0D
Solution(Against XSS-attacks):=0D
----------------------------------------------=0D
Edit the source code to ensure that input is properly sanitised.=0D
You should work with "htmlspecialchars()" or "strip_tags()" php-function to ensure that html tags=0D
are not going to be executed.=0D
=0D
Example:=0D
=0D
=0D
Set "register_globals" to "Off".=0D
=0D
=0D
=0D
=0D