[MajorSecurity #18] Ralf Image Gallery <= - Multiple XSS, Remote File Include and directory traversal vulnerabilities ---------------------------------------------- Software: RIG[Ralf Image Gallery] Version: <=0.7.4 Type: Cross site scripting + remote file include + directory traversal Discovery Date: June, 12th 2006 Made public: June, 20th 2006 Vendor: RIG is developed and maintained by Le R'alf Page: http://rig.powerpulsar.com/ Rated as: Very high Credits: ---------------------------------------------- Discovered by: David "Aesthetico" Vieira-Kurz http://www.majorsecurity.de Original Advisory: ---------------------------------------------- http://www.majorsecurity.de/advisory/major_rls18.txt Affected Products: ---------------------------------------------- RIG 0.7.4(unstable) and prior (http://sourceforge.net/project/showfiles.php?group_id=54367&release_id= 179661) RIG 0.6.45 and 0.7(stable) and prior Contacted Vendor: ---------------------------------------------- I have contacted Le R'alf on June, 12th 2006 at 2:37 PM via e-mail, but until today I got no response and the bug was still not fixed!!! Description: ---------------------------------------------- RIG (a.k.a. the Ralf Image Gallery) is a web-based image album viewer. The main application of RIG is a viewer for digital camera albums; as such it offers specific functionalities like automatic image resizing and handling of dated album names. Requirements: ---------------------------------------------- register_globals = On Vulnerability: ---------------------------------------------- check_entry.php: 81: require_once(rig_check_src_file($dir_abs_src . "entry_point.php")); admin_album.php: 31: require_once($dir_abs_src . "common.php"); 32: require_once($dir_abs_admin_src . "admin_util.php"); admin_image.php: 28: require_once($dir_abs_src . "common.php"); 29: require_once($dir_abs_admin_src . "admin_util.php"); admin_util.php: 29: require_once($dir_abs_src . "common.php"); Input passed to the "dir_abs_src" parameter in "check_entry.php" and the "dir_abs_admin_src" parameter in "admin_album.php", "admin_image.php" and "admin_util.php" is not properly verified, before it is used to execute the given arguments. Vuln 1: Acquiring access to known files outside of the web root and current directory is possible through directory traversal techniques. This is made possible through the use of "../../" in a HTTP request. Vuln 2: This can also be exploited to execute arbitrary HTML and script code in context of an affected site. Vuln 3: This can also be exploited to include arbitrary files from external and local resources. Solution: ---------------------------------------------- Replace the vulnerable lines with my fixed lines. This hotfix does only fix the the files against directory traversal and file include vulnerabilities. Line 81 in check_entry.php: require_once(rig_check_src_file($dir_abs_src . "entry_point.php")); MajorSecurity fix option 1: include("entry_point.php"); MajorSecurity fix option 2: require_once(rig_check_src_file("entry_point.php")); In the others vuln files you need to replace following lines: 28: require_once($dir_abs_src . "common.php"); 29: require_once($dir_abs_admin_src . "admin_util.php"); with my fixed lines: 28: require_once("common.php"); 29: require_once("admin_util.php"); Solution(Against XSS-attacks): ---------------------------------------------- Edit the source code to ensure that input is properly sanitised. You should work with "htmlspecialchars()" or "strip_tags()" php-function to ensure that html tags are not going to be executed. Example: <?php echo htmlspecialchars("<script"); ?> Set "register_globals" to "Off".