[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20061221102834.16282.qmail@securityfocus.com>
Date: 21 Dec 2006 10:28:34 -0000
From: matthieu.paineauSTOPSPAM@...adoo.fr
To: bugtraq@...urityfocus.com
Subject: Re: Vulnerability in MG2 php based Image Gallery - bypass
security, view password protected images
Preben Nyløkken has discovered this vulnerability in MG2, which can be exploited by malicious people to conduct script insertion attacks and disclose potentially sensitive information.
When adding a comment to an image, input passed to the "name" parameter isn't properly sanitised before being used.
This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious user data is viewed.
The vulnerabilities have been confirmed in version 0.5.1. Other versions may also be affected.
Solution :
// /includes/mg2_functions.php
// Find "function charfix($string) {"
// Replace the entire function by this code :
function charfix($string) {
$string = str_replace("*","#",$string);
$string = str_replace(chr(92).chr(34),""",$string);
$string = str_replace("\'","'",$string);
$string = str_replace(chr(34),""",$string);
$string = htmlspecialchars($string);
return $string;
}
//---------
// /index.php
// Find "if ($_REQUEST['action'] == "addcomment"){
// Replace the entire line by this code :
if ($_REQUEST['action'] == "addcomment" && $mg2->showcomments == 1){
If your system has been hacked, you should see some 'xxxx.php.comment' or 'xxx.php' files in the /pictures folder. In this case, clean by deleting all "*.php", "*.php.comment", "*.asp" in the /pictures folder
Powered by blists - more mailing lists