lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20061221102834.16282.qmail@securityfocus.com>
Date: 21 Dec 2006 10:28:34 -0000
From: matthieu.paineauSTOPSPAM@...adoo.fr
To: bugtraq@...urityfocus.com
Subject: Re: Vulnerability in MG2 php based Image Gallery - bypass
 security, view password protected images

Preben Nyløkken has discovered this vulnerability in MG2, which can be exploited by malicious people to conduct script insertion attacks and disclose potentially sensitive information.

When adding a comment to an image, input passed to the "name" parameter isn't properly sanitised before being used. 
This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious user data is viewed.

The vulnerabilities have been confirmed in version 0.5.1. Other versions may also be affected.


Solution :
// /includes/mg2_functions.php
// Find "function charfix($string) {"
// Replace the entire function by this code :
  function charfix($string) {
    $string = str_replace("*","#",$string);
    $string = str_replace(chr(92).chr(34),"&quot;",$string);
    $string = str_replace("\'","'",$string);
    $string = str_replace(chr(34),"&quot;",$string);
    $string = htmlspecialchars($string);
    return $string;
  }

//---------
// /index.php
// Find "if ($_REQUEST['action'] == "addcomment"){
// Replace the entire line by this code :
if ($_REQUEST['action'] == "addcomment" && $mg2->showcomments == 1){ 

If your system has been hacked, you should see some 'xxxx.php.comment' or 'xxx.php' files in the /pictures folder. In this case, clean by deleting all "*.php", "*.php.comment", "*.asp" in the /pictures folder

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ