[MajorSecurity #18] Ralf Image Gallery <= - Multiple XSS, Remote File Include and directory traversal vulnerabilities
----------------------------------------------
Software: RIG[Ralf Image Gallery]
Version: <=0.7.4
Type: Cross site scripting + remote file include + directory traversal
Discovery Date: June, 12th 2006
Made public: June, 20th 2006
Vendor: RIG is developed and maintained by Le R'alf
Page: http://rig.powerpulsar.com/
Rated as: Very high
Credits:
----------------------------------------------
Discovered by: David "Aesthetico" Vieira-Kurz
http://www.majorsecurity.de
Original Advisory:
----------------------------------------------
http://www.majorsecurity.de/advisory/major_rls18.txt
Affected Products:
----------------------------------------------
RIG 0.7.4(unstable) and prior
(http://sourceforge.net/project/showfiles.php?group_id=54367&release_id=
179661)
RIG 0.6.45 and 0.7(stable) and prior
Contacted Vendor:
----------------------------------------------
I have contacted Le R'alf on June, 12th 2006 at 2:37 PM via e-mail, but until today I got no response
and the bug was still not fixed!!!
Description:
----------------------------------------------
RIG (a.k.a. the Ralf Image Gallery) is a web-based image album viewer.
The main application of RIG is a viewer for digital camera albums;
as such it offers specific functionalities like automatic image resizing and handling of dated album names.
Requirements:
----------------------------------------------
register_globals = On
Vulnerability:
----------------------------------------------
check_entry.php:
81: require_once(rig_check_src_file($dir_abs_src . "entry_point.php"));
admin_album.php:
31: require_once($dir_abs_src . "common.php");
32: require_once($dir_abs_admin_src . "admin_util.php");
admin_image.php:
28: require_once($dir_abs_src . "common.php");
29: require_once($dir_abs_admin_src . "admin_util.php");
admin_util.php:
29: require_once($dir_abs_src . "common.php");
Input passed to the "dir_abs_src" parameter in "check_entry.php" and the "dir_abs_admin_src" parameter in
"admin_album.php", "admin_image.php" and "admin_util.php" is not properly verified, before it is used to execute the given arguments.
Vuln 1: Acquiring access to known files outside of the web root and current directory
is possible through directory traversal techniques.
This is made possible through the use of "../../" in a HTTP request.
Vuln 2: This can also be exploited to execute arbitrary HTML and script code in context of an affected site.
Vuln 3: This can also be exploited to include arbitrary files from external and local resources.
Solution:
----------------------------------------------
Replace the vulnerable lines with my fixed lines.
This hotfix does only fix the the files against directory traversal and file include vulnerabilities.
Line 81 in check_entry.php: require_once(rig_check_src_file($dir_abs_src . "entry_point.php"));
MajorSecurity fix option 1: include("entry_point.php");
MajorSecurity fix option 2: require_once(rig_check_src_file("entry_point.php"));
In the others vuln files you need to replace following lines:
28: require_once($dir_abs_src . "common.php");
29: require_once($dir_abs_admin_src . "admin_util.php");
with my fixed lines:
28: require_once("common.php");
29: require_once("admin_util.php");
Solution(Against XSS-attacks):
----------------------------------------------
Edit the source code to ensure that input is properly sanitised.
You should work with "htmlspecialchars()" or "strip_tags()" php-function to ensure that html tags
are not going to be executed.
Example:
<?php
echo htmlspecialchars("<script");
?>
Set "register_globals" to "Off".