Open Searchable Image Catalogue: XSS and SQL Injection Vulnerabilities
Technical University of Vienna Security Advisory
TUVSA-0605-001, May 30, 2006
Open Searchable Image Catalogue (http://cosp.wordpress.com/tag/osic, http://sourceforge.net/projects/osic-win)
Versions 0.7 and prior.
There are a number of cross site scripting (XSS) vulnerabilities that are caused by the second echo statement in function do_mysql_query (core.php, line 544). If a database query fails for some reason, the query is reflected back to the user. Here are a few points where this situation can be exploited (if register_globals is active and if the current user is logged in as admin):
adminfunctions.php, line 531
adminfunctions.php, line 561
editcatalogue.php, line 523
[there has to be at least one file with a valid extension in the uploads directory]
editcatalogue.php, line 581
The above vulnerabilities are also SQL Injection vulnerabilities.
Some analogous cases in search.php:
search.php, line 120:
The $query variable can contain malicious user input due to the assignments on lines 90-112.
search.php, line 152:
$cf_query is tainted by $cfid, which is tainted by $tempCustomFieldID, which is tainted by $HTTP_POST_VARS (line 138).
search.php, lines 243-250:
There are calls to getValueFromID with $item_list as parameter, which can be controlled by an attacker.
The authors have responded to our message quickly and have released version 0.7.0.1, which fixes the above issues.
March 30, 2006:
- Vulnerabilities reported to Chris Goerner.
- Response and release of fixed version.
- Advisory submission.
Secure Systems Lab
Technical University of Vienna