SNS Vulnerability

Gallery Directory Traversal and Cross Site Scripting Vulnerabilities

Description

Multiple vulnerabilities were identified in Gallery, which could be exploited by attackers to gain knowledge of sensitive information or conduct directory traversal and cross site scripting attacks.
The first flaw is due to an input validation error in the "Add Image From Web" feature when processing javascript code embedded in <img> tags, which may be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.
The second issue is due to an input validation error in the "zipcart" module (not enabled by default) that does not properly filter certain parameters, which may be exploited by remote attackers to retrieve arbitrary files from a vulnerable system via directory traversal attacks.
The third vulnerability is due to a design error where the installation log is created and stored in the webroot directory, which could be exploited by remote attackers to disclose sensitive information.

Vulnerable Products

Vulnerable Software:
Gallery version 2.0Gallery version 2.0.1Gallery version 2.0 RC 2Gallery version 2.0 RC 1Gallery version 2.0 Beta 3Gallery version 2.0 Beta 2Gallery version 2.0 Beta 1Gallery version 2.0 Alpha 4Gallery version 2.0 Alpha 3Gallery version 2.0 Alpha 2Gallery version 2.0 Alpha 1

Solution

Upgrade to Gallery version 2.0.2 : http://gallery.menalto.com

CVE

CVE-2005-4023
CVE-2005-4022
CVE-2005-4021

References

http://www.frsirt.com/english/reference/1636

Vulnerability Manager Detection

IPS Protection

ASQ Engine alarm	Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL	3.2.0
XSS - Prevention - POST : suspicious tag with event found in data	3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL	3.2.0
XSS - Prevention - GET : javascript code in flash clickTAG parameter	3.2.0
XSS - Prevention - POST : suspicious 'object' tag found in data	3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL	3.2.0
XSS - Prevention - POST : suspicious 'applet' tag found in data	3.2.0
XSS - Prevention - POST : 'location' javascript object found in data	3.2.0
XSS - Phishing : suspicious 'div' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL	3.2.0
XSS - Prevention - POST : javascript code found in data	3.2.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data	3.2.0
XSS - Prevention - POST : code allowing cookie access found in data	3.2.0
XSS - Phishing : suspicious 'a' tag found in URL	3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL	3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL	3.2.0
XSS - Phishing : suspicious 'form' tag found in URL	3.2.0
XSS - Prevention - POST : suspicious 'embed' tag found in data	3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data	3.2.0
XSS - Prevention - GET : javascript code found in URL	3.2.0
XSS - Prevention - GET : 'script' tag in flash clickTAG parameter	3.2.0
XSS - Prevention - POST : suspicious 'div' tag found in data	3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL	3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL	3.2.0
XSS - Phishing : suspicious 'link' tag found in URL	3.2.0
XSS - Prevention - GET : 'script' tag found in URL	3.2.0
XSS - Prevention - POST : 'script' tag found in data	3.2.0
XSS - Prevention - POST : suspicious 'style' attribute found in data	3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL	3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL	3.2.0

Risk level

Low

Vulnerability First Public Report Date

2005-12-01

Target Type

Server

Possible exploit

Local & Remote