by r0t,der4444,cembo,VietMafia

Tuesday, December 13, 2005

mcGallery PRO vuln.

mcGallery PRO vuln.

Vuln. dicovered by : r0t
Date: 13 dec. 2005
vendor:http://mcgallerypro.com/
affected version: 2.2 and prior


Product Description:

A Pro version of mcGallery. Features: Displays photos, videos and Flash movies; Create thumbnails for photos; Multi-level restricted access; Unlimited number of albums; albums sorted in categories, News system ; Complete admin panel with stats, members administration, design settings; Users can post comments, send e-cards, choose interface language, build their own albums, and download their selection as zip file; Slideshow and user upload with moderation; Automated installation; 7 language files; Frontpage compliance; "register-globals off" compliance. WAP ability for admin, multiple admins, smilies in comments and ecards. Top Ten, upload by email, PNG support, WMV support,and plenty of new little settings. Last added: complete guestbook system.




Vuln. Description:


1.Local file include:
Input passed to the "language" parameter in "index.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.

2.SQL:
mcGallery PRO contains a flaw that allows a remote sql injection attacks.Input passed to the "id" "start" "album" "rand" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


3.XSS:
mcGallery PRO contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module parameters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

few examples:

/index.php?language=../FILE

/show.php?start=0&id=[SQL]
/show.php?start=[SQL]
/index.php?album=[SQL]
/show.php?rand=1&id=[SQL]
/show.php?rand=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

1 Comments:

Anonymous Tropical Screensaver told...

Greetings to you. screensaver related information is of great interest to me and so I am usually online checking it out. I came accross your site and spent some time checking out your content, although I was really interested in screensaver related stuff. Keep up the good work.

Maybe you can drop by my site http://www.natureislephotos.com one of those days.

8:45 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew