[VIM] Wingnut EasyGallery XSS smells like more

Steven M. Christey coley at mitre.org
Fri Apr 21 02:51:21 EDT 2006


Ref: CVE-2006-1972

EasyGallery is apparently by some developer named wingnut.  Source for
version 2 is available at wingnut.net.ms and maybe elsewhere.

I do not have sufficient proof, and have already recently posted a
correction to a botan post... but here's an extract from
EasyGallery.php that make me think it's more than XSS.  (Note - there
might be other vectors involving $ordner, besides the reported one.)


  if (!isset($all)&&!isset($thumbnails)&&!isset($tplus)&&!isset($tminus)&&!isset($tminus_x)&&!isset($tplus_x))
  {
    // --begin comments
    extract($_POST);
    $comment = $ordner."/comments.txt";
    if(file_exists($comment))
    {    
    ...
	      $file = file($comment);
	      $whandle = fopen($comment,"w+");
    ...
		    $msg = stripslashes($msg);
		    fputs($whandle, "$temp|$author|$msg \n");



======================================================
Name: CVE-2006-1972
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1972
Reference: BUGTRAQ:20060419 EasyGallery Cross-Site Scripting
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/431430/100/0/threaded
Reference: MISC:http://advisory.patriotichackers.com/index.php?itemid=5

Cross-site scripting (XSS) vulnerability in EasyGallery.php in Wingnut
EasyGallery allows remote attackers to inject arbitrary web script or
HTML via the ordner parameter.




More information about the VIM mailing list