[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Gallery is still vulnerable to Cross-site Scripting attacks
- To: gallery-devel@xxxxxxxxxxxxxxxxxxxxx
- Subject: Gallery is still vulnerable to Cross-site Scripting attacks
- From: Jon Keating <jon@xxxxxxxx>
- Date: Wed, 2 Feb 2005 10:39:26 -0500
Hello,
After testing out the updates to CVS for Gallery, I realized it is still
vulnerable to the cross-site scripting attacks that was mentioned in the first
advisory.
The following code was committed to CVS:
/*
* Test for relative URL, which we know to be local. If URL contains ://
* assume that it's remote and test it against our local full URLs
* to ensure security. Don't check for http:// or https:// because
* for all we know, someone put their album URL on a gopher server...
*/
if ($return[0] != '/' && strstr($return, '://') !== false) {
if (strncmp($return, $gallery->app->photoAlbumURL,
strlen($gallery->app->photoAlbumURL) != 0) &&
strncmp($return, $gallery->app->albumDirURL,
strlen($gallery->app->albumDirURL) != 0)) {
die(_('Attempted security breach.'));
}
}
The problem is with the strncmp(). If you look closely you will see that the
comparison != 0 occurs _inside_ the strncmp(). On my system this makes strncmp
be true and return 0. So the URL is "validated" and continues down the chain
giving the same cross-site scripting attack as before. The correct code should
be:
/*
* Test for relative URL, which we know to be local. If URL contains ://
* assume that it's remote and test it against our local full URLs
* to ensure security. Don't check for http:// or https:// because
* for all we know, someone put their album URL on a gopher server...
*/
if((isset($return)) && ($return[0] != '/') && strstr($return, "://")) {
if (strncmp($return, $gallery->app->photoAlbumURL,
strlen($gallery->app->photoAlbumURL)) != 0 &&
strncmp($return, $gallery->app->albumDirURL,
strlen($gallery->app->albumDirURL)) != 0) {
die(_('Attempted security breach.'));
}
}
I removed the '!== false' because it is unnecesary in PHP.
The file that this code is taken from is do_command.php
Jon
____________________________________________________________________
Jon Keating jon@xxxxxxxx
ICQ: 16325723 emostar on irc.freenode.net
Shizuoka-Ken, Mishima-Shi, JAPAN