Yapig: XSS / Code Injection Vulnerability

2005-10-13 / 2005-10-14
Credit: Nenad Jovanovic
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2005-4801
CWE: CWE-79


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

=========================================================== Yapig: XSS / Code Injection Vulnerability =========================================================== Technical University of Vienna Security Advisory TUVSA-0510-001, October 13, 2005 =========================================================== Affected applications ---------------------- Yapig (yapig.sourceforge.net) Versions 0.95b and prior. Description ------------ 1.) Stored XSS An attacker can include malicious JavaScript by posting an image-related comment and inserting something like the following into the "Homepage" form field: "><script>alert('hi')</script> This attack falls under the category of stored cross-site scripting and doesn't require the attacker to be logged in. 2.) Reflected XSS An attacker can include malicious JavaScript by tricking a user into clicking a link to the following URL: http://your-server/path-to-yapig/view.php?gid=1&phid=1&img_size=><script >alert('hi')</script> The fields "your-server" and "path-to-yapig" in the given URL have to be adjusted accordingly. The parameters "gid=1" and "phid=1" assume that there exist a gallery and a photo with ID 1 and can be adjusted as well. Moreover, the width of the image being viewed has to be less than $MAX_IMG_SIZE (set inside config.php) because otherwise, the vulnerable variable $img_size is set to a safe value inside the if-branch on line 120 of view.php. And finally, register_globals has to be active. 3.) Code Injection An attacker can inject arbitrary PHP code into a gallery's "guid_info.php" file by tricking the logged-in admin into clicking a link to a page with the following contents: <form method="post" action="http://your-server/path-to-yapig/yapig095b/modify_gallery.php?ac tion=mod_info&gid=1"> <input value='TestGallery"; echo "evil' name="title" type="text"> <input value="TestAuthor" name="author" type="text"> <input value="TestDate" name="date" type="text"> <input value="" name="dir" type="text"> <input value="TestDescription" name="desc" type="text"> <input type="submit"> </form> <script type="text/javascript"> document.forms[0].submit(); </script> As for vulnerability #2, "your-server", "path-to-yapig", "gid" and "phid" can be adjusted. Apart from this, Yapig seems to be susceptible to "Cross-Site Request Forgery" (CSRF) attacks in general. However, this problem is not limited to Yapig, but affects a large number of comparable web applications available at this time. Solution --------- Attempts to contact the authors were not successful until now, so there is no official solution available yet. Timeline: September 28, 2005: Attempt to contact Yapig developers via "natasab at users.sourceforge.net". October 5, 2005: Attempt to contact Yapig developers via Sourceforge bug tracker. October 13, 2005: Advisory submission. Nenad Jovanovic Secure Systems Lab Technical University of Vienna www.seclab.tuwien.ac.at


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top