Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

PhpWebFTP 3.2    Login Script

MyEvent Remote File Execution And XSS Attacking

Calendarix "yearcal. php" XSS Attacking

FlexBB v0.5.5 BETA [SQL Inj] [XSS] [Login bypass]

From:	rgod_(at)_autistici.org <rgod_(at)_autistici.org>
Date:	17.04.2006
Subject:	- PHPGraphy <= 0.9.11 "editwelcome" unauthorized access / cross site scripting -

- PHPGraphy <= 0.9.11 "editwelcome" unauthorized access / cross site scripting -

--------------------------------
software site: http://phpgraphy.sourceforge.net/
description: "Full featured photo gallery PHP script - Light, fast and easy to
             install"

vulnerable code index.php near line 503-10:

...
if ($updwelcome && isset($welcomedata) && check_welcome($dir)) {
if (strlen($welcomedata) < 10000) {

  write_welcome($dir,$welcomedata);
  echo "<html><script language=\"javascript\">window.opener.
location=\"?dir=".rawurlencode($dir).
"\";window.close();</script></html>";
  } else echo "Sorry more data (10k) than allowed, protection aborting the operation<br />";
  exit;
}
...

poc, a remote user can go to this url:

http://[target]/[path]/index.php?dir=&editwelcome=1&popup=0

to have unauthorized access to some edit functionalities and to insert html/
/javascript code or simply deface the main page

temporary patch -> replace this line:

...
if ($updwelcome && isset($welcomedata) && check_welcome($dir)) {
...

with:

...
if ($admin && $updwelcome && isset($welcomedata) && check_welcome($dir)) {
...

--------------------------------------------------------------------------------

rgod

site: http://retrogod.altervista.org
mail: rgod at autistici.org
original advisory: http://retrogod.altervista.org/phpgraphy_0911_adv.html
--------------------------------------------------------------------------------