lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 2 Feb 2005 10:39:26 -0500
From: Jon Keating <jon@...q.org>
To: gallery-devel@...ts.sourceforge.net
Cc: bugtraq@...urityfocus.com
Subject: Gallery is still vulnerable to Cross-site Scripting attacks


Hello,

After testing out the updates to CVS for Gallery, I realized it is still vulnerable to the cross-site scripting attacks that was mentioned in the first advisory.

The following code was committed to CVS:

/* 
 * Test for relative URL, which we know to be local.  If URL contains ://
 * assume that it's remote and test it against our local full URLs
 * to ensure security.  Don't check for http:// or https:// because
 * for all we know, someone put their album URL on a gopher server...
 */
if ($return[0] != '/' && strstr($return, '://') !== false) {
    if (strncmp($return, $gallery->app->photoAlbumURL, strlen($gallery->app->photoAlbumURL) != 0) &&
	    strncmp($return, $gallery->app->albumDirURL, strlen($gallery->app->albumDirURL) != 0)) {
	die(_('Attempted security breach.'));
    }
}

The problem is with the strncmp(). If you look closely you will see that the comparison != 0 occurs _inside_ the strncmp(). On my system this makes strncmp be true and return 0. So the URL is "validated" and continues down the chain giving the same cross-site scripting attack as before. The correct code should be:

/*
 * Test for relative URL, which we know to be local. If URL contains ://
 * assume that it's remote and test it against our local full URLs
 * to ensure security. Don't check for http:// or https:// because
 * for all we know, someone put their album URL on a gopher server...
 */
if((isset($return)) && ($return[0] != '/') && strstr($return, "://")) {
 if (strncmp($return, $gallery->app->photoAlbumURL, strlen($gallery->app->photoAlbumURL)) != 0 &&
 strncmp($return, $gallery->app->albumDirURL, strlen($gallery->app->albumDirURL)) != 0) {
 die(_('Attempted security breach.'));
 }
}

I removed the '!== false' because it is unnecesary in PHP.

The file that this code is taken from is do_command.php

Jon

____________________________________________________________________
Jon Keating                              jon@...q.org
ICQ: 16325723                            emostar on irc.freenode.net
Shizuoka-Ken, Mishima-Shi, JAPAN

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ