lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42A85E2D.4060908@gulftech.org>
Date: Thu, 09 Jun 2005 10:20:13 -0500
From: GulfTech Security Research <security@...ftech.org>
To: BugTraq <bugtraq@...urityfocus.com>,
	Secunia Research <vuln@...unia.com>, OSVDB <moderators@...db.org>
Subject: Invision Gallery Vulnerabilities


##########################################################
# GulfTech Security Research                June 9th, 2005
##########################################################
# Vendor  : Invision Power Services
# URL     : http://www.invisiongallery.com
# Version : All Versions Prior To 1.3.1
# Risk    : Multiple Vulnerabilities
##########################################################



Description:
Invision Gallery is a community based gallery software that can be
integrated into Invision Power Board. There are several security
issues in Invision Gallery that may allow for an attacker to force
a user into unknowingly / unwillingly perform actions on behalf of an
attacker, or an attacker may influence SQL queries and retrieve
sensitive information contained within the underlying database. An
upgrade has been released for several weeks now and all users should
upgrade their gallery installations as soon as possible.



Cross Site Request Forgery:
The proper precautions are not taken when dealing with certain actions,
and as a result an attacker can force a user to delete images, and albums
by having them simply follow a malicious link, or by including the link in
an embedded tag such as img or iframe.

http://localhost/index.php?act=module&module=gallery&cmd=albums&op=del&album=2
http://localhost/index.php?act=module&module=gallery&cmd=delimg&img=2

The above links could be used to effectively delete an album and an image.
This issue arises as a result of not properly adhering to RFC 2616 9.1.1



SQL Injection:
There are a couple of SQL Injection issues in Invision Gallery. The first
vulnerability I will talk about presents itself when editing comments.

http://localhost/index.php?act=module&module=gallery&cmd=editcomment&comment=
-99%20UNION%20SELECT%200,0,0,0,0,0,0,0,0,name,0,0,0%20FROM%20ibf_members%20
WHERE%201/*&img=1

The above example will select a users name from the database, but this could
just as easily be a password hash. The other SQL Injection issue  is pretty
dangerous and presents itself when voting on a photo. Basically an attacker
may include arbitrary SQL statements instead of a rating, and influence an
UPDATE query which can be very dangerous.



Solution:
Updated version of the Invision Gallery software have been available for
many weeks now. Users should upgrade as soon as possible. Special thanks
to the guys at Invision for fixing these issues so quickly :)



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00079-06092005



Credits:
James Bercegay of the GulfTech Security Research Team


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ