Re: Vulnerability in MG2 php based Image Gallery - bypass security, view password protected images

[matthieu.paineauSTOPSPAM () wanadoo fr]

Preben Nyløkken has discovered this vulnerability in MG2, which can be exploited by malicious people to conduct script 
insertion attacks and disclose potentially sensitive information.

When adding a comment to an image, input passed to the "name" parameter isn't properly sanitised before being used. 
This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in 
context of an affected site when the malicious user data is viewed.

The vulnerabilities have been confirmed in version 0.5.1. Other versions may also be affected.


Solution :
// /includes/mg2_functions.php
// Find "function charfix($string) {"
// Replace the entire function by this code :
  function charfix($string) {
    $string = str_replace("*","#",$string);
    $string = str_replace(chr(92).chr(34),""",$string);
    $string = str_replace("\'","'",$string);
    $string = str_replace(chr(34),""",$string);
    $string = htmlspecialchars($string);
    return $string;
  }

//---------
// /index.php
// Find "if ($_REQUEST['action'] == "addcomment"){
// Replace the entire line by this code :
if ($_REQUEST['action'] == "addcomment" && $mg2->showcomments == 1){ 

If your system has been hacked, you should see some 'xxxx.php.comment' or 'xxx.php' files in the /pictures folder. In 
this case, clean by deleting all "*.php", "*.php.comment", "*.asp" in the /pictures folder