[VIM] Wingnut EasyGallery XSS smells like more
Steven M. Christey
coley at mitre.org
Fri Apr 21 02:51:21 EDT 2006
Ref: CVE-2006-1972
EasyGallery is apparently by some developer named wingnut. Source for
version 2 is available at wingnut.net.ms and maybe elsewhere.
I do not have sufficient proof, and have already recently posted a
correction to a botan post... but here's an extract from
EasyGallery.php that make me think it's more than XSS. (Note - there
might be other vectors involving $ordner, besides the reported one.)
if (!isset($all)&&!isset($thumbnails)&&!isset($tplus)&&!isset($tminus)&&!isset($tminus_x)&&!isset($tplus_x))
{
// --begin comments
extract($_POST);
$comment = $ordner."/comments.txt";
if(file_exists($comment))
{
...
$file = file($comment);
$whandle = fopen($comment,"w+");
...
$msg = stripslashes($msg);
fputs($whandle, "$temp|$author|$msg \n");
======================================================
Name: CVE-2006-1972
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1972
Reference: BUGTRAQ:20060419 EasyGallery Cross-Site Scripting
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/431430/100/0/threaded
Reference: MISC:http://advisory.patriotichackers.com/index.php?itemid=5
Cross-site scripting (XSS) vulnerability in EasyGallery.php in Wingnut
EasyGallery allows remote attackers to inject arbitrary web script or
HTML via the ordner parameter.
More information about the VIM
mailing list