Anatomy of a real life XSS vulnerability…

Recently I got an email from Ivan Buetler of GESEC Team, reporting a security vulnerability in the latest stable version (1.4.25) of Coppermine Photo Gallery. The exploit was reported in the URI upload mechanism of Coppermine which allows the users to provide the URI of an image anywhere on the web to make it a part of their own photo gallery.

The initial reporting mentioned the exploit to be present in CPG 1.5.2 which is currently in its beta stage. But the URI upload has been removed from the core feature of Coppermine Photo Gallery since 1.5 branch and thus it can affect only the 1.4.x branch.

The exploit, an XSS vulnerability, was possible due to an improper escaping of the display data while showing an error message to the user in case of failed URI upload. Since we are showing back the data entered by an user as it is, it is necessary to use PHP function like htmlentities to properly escape the data so that none of the HTML/Javascript entered by user can execute on browser. This fact was overlooked in this particular case allowing malicious user to execute harmful Javascript code on client browser.

A malicious user, through a nicely crafted HTML form, can steal the cookie to get an access to the valid session of a logged in user through this exploit. Following is the sample code that can be used to exploit the vulnerability

PLAIN TEXT
HTML:
  2.     <body>
  3.         <form method="post" action="http://url-to-gallery/upload.php">
  4.             <input type="text" name="URI_array[]" value="<script>alert(document.cookie);</script>"/>
  5.             <input type="hidden" name="control" value="phase_1" />
  6.             <input type="submit" />
  7.         </form>
  8.     <body>
  9. </html>

Here's the screenshot of resultant page that displays the cookie information of the logged in user

The Coppermine team acted immediately on receiving the notification and corrected the code causing this vulnerability. To fix this issue, we simply used htmlentities() to convert all applicable characters to their equivalent HTML entities before displaying the data. Following is the code snippet from upload.php that caused this vulnerability.

PLAIN TEXT
CODE:
  1. // Cycle through the file upload errors.
  2. for ($i=0; $i <$URI_error_count; $i++) {
  3.     // Print the error ordinal, file name, and error code.
  4.     echo "<tr><td>{$URI_failure_array[$i]['failure_ordinal']} $URI_failure_array[$i]['URI_name'])</td><td>{$URI_failure_array[$i]['error_code']}</td></tr>";
  5. }

Fixed version using htmlentities:

PLAIN TEXT
CODE:
  1. // Cycle through the file upload errors.
  2. for ($i=0; $i <$URI_error_count; $i++) {
  3.     // Print the error ordinal, file name, and error code.
  4.     echo "<tr><td>{$URI_failure_array[$i]['failure_ordinal']} ".htmlentities($URI_failure_array[$i]['URI_name'])."</td><td>{$URI_failure_array[$i]['error_code']}</td></tr>";
  5. }

A newer version of Coppermine Photo Gallery (1.4.26) is now made available for the download which addresses this issue. CPG team has recommended all the users running CPG 1.4.25 or older, to upgrade to the latest version immediately.

Also, some language files and other non critical issues are addressed in this release. The full changelog and the instructions to upgrade to the latest version can be found in the official announcement in CPG forum.

it will be a HTML form

About this entry

You’re currently reading “ Anatomy of a real life XSS vulnerability… ,” an entry on SANIsoft – PHP for E Biz

Published:
2.8.10 / 11:45am
Category:
Coppermine, Open Source, PHP, Security
Author:
Aditya Mooley
RSS for this Author