by r0t,der4444,cembo,VietMafia

Tuesday, December 13, 2005

Snipe Gallery SQL&XSS vuln.

Snipe Gallery SQL&XSS vuln.

Vuln. dicovered by : r0t
Date: 13 dec. 2005
vendor:http://www.snipegallery.com/
affected version:3.1.4 and prior

Product Description:

Snipe Gallery is a searchable PHP/mySQL photo gallery manager. Features: Easy to install; Dynamic thumbnailing, but only in the admin, and only if the thumbnail doesn't already exist, to keep the server load down; Ability for admin to supress images that should not appear in user view; Supports PNG, JPG, and GIF images (depending on your version of the GDlib); Error checking to prevent admin from being able to delete categories with images or subcategories within them; "Silent" keyword assignment in admin; RSS Newsfeed tie-in, IPTC metadata import; bulk image import via .zip file and/or local files, cropping/thumbnailing tool to allow cropping and custom thumbnailing on the fly, and Images are searchable by title, description, photographer, location, and keyword.




Vuln. Description:

1. SQL inj.
Snipe Gallery contains a flaw that allows a remote sql injection attacks.Input passed to the "gallery_id" and "image_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code

2. XSS attack
Snipe Gallery contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "keyword" parameter in "search.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


examples:

SQL
/view.php?gallery_id=[SQL]
/image.php?page=1&gallery_id=1&image_id=[SQL]

XSS
/search.php?keyword=%22%3E%3Cscript%3Ealert%28%
27r0t%27%29%3C%2Fscript%3E&search_cat=&search_t
ype=and


Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew