Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Vulnerability in MG2 php based Image Gallery - bypass security, view password protected images
From: matthieu.paineauSTOPSPAM () wanadoo fr
Date: 21 Dec 2006 10:28:34 -0000

Preben Nyl√łkken has discovered this vulnerability in MG2, which can be exploited by malicious people to conduct script 
insertion attacks and disclose potentially sensitive information.

When adding a comment to an image, input passed to the "name" parameter isn't properly sanitised before being used. 
This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in 
context of an affected site when the malicious user data is viewed.

The vulnerabilities have been confirmed in version 0.5.1. Other versions may also be affected.


Solution :
// /includes/mg2_functions.php
// Find "function charfix($string) {"
// Replace the entire function by this code :
  function charfix($string) {
    $string = str_replace("*","#",$string);
    $string = str_replace(chr(92).chr(34),""",$string);
    $string = str_replace("\'","'",$string);
    $string = str_replace(chr(34),""",$string);
    $string = htmlspecialchars($string);
    return $string;
  }

//---------
// /index.php
// Find "if ($_REQUEST['action'] == "addcomment"){
// Replace the entire line by this code :
if ($_REQUEST['action'] == "addcomment" && $mg2->showcomments == 1){ 

If your system has been hacked, you should see some 'xxxx.php.comment' or 'xxx.php' files in the /pictures folder. In 
this case, clean by deleting all "*.php", "*.php.comment", "*.asp" in the /pictures folder


  By Date           By Thread  

Current thread:
  • Re: Vulnerability in MG2 php based Image Gallery - bypass security, view password protected images matthieu . paineauSTOPSPAM (Dec 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]