[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Yapig: XSS / Code Injection Vulnerability

Yapig: XSS / Code Injection Vulnerability
Technical University of Vienna Security Advisory
TUVSA-0510-001, October 13, 2005

Affected applications

Yapig (yapig.sourceforge.net)

Versions 0.95b and prior.


1.) Stored XSS

An attacker can include malicious JavaScript by posting an image-related 
comment and inserting something like the following into the "Homepage" form 


This attack falls under the category of stored cross-site scripting and doesn't 
require the attacker to be logged in.

2.) Reflected XSS

An attacker can include malicious JavaScript by tricking a user into clicking a 
link to the following URL:


The fields "your-server" and "path-to-yapig" in the given URL have to be 
adjusted accordingly. The parameters "gid=1" and "phid=1" assume that there 
exist a gallery and a photo with ID 1 and can be adjusted as well.

Moreover, the width of the image being viewed has to be less than $MAX_IMG_SIZE 
(set inside config.php) because otherwise, the vulnerable variable $img_size is 
set to a safe value inside the if-branch on line 120 of view.php. And finally, 
register_globals has to be active.

3.) Code Injection

An attacker can inject arbitrary PHP code into a gallery's "guid_info.php" file 
by tricking the logged-in admin into clicking a link to a page with the 
following contents:

    <form method="post" 
      <input value='TestGallery"; echo "evil' name="title" type="text">
      <input value="TestAuthor" name="author" type="text">
      <input value="TestDate" name="date" type="text"> 
      <input value="" name="dir" type="text">
      <input value="TestDescription" name="desc" type="text">
      <input type="submit">

    <script type="text/javascript">

As for vulnerability #2, "your-server", "path-to-yapig", "gid" and "phid" can 
be adjusted.

Apart from this, Yapig seems to be susceptible to "Cross-Site Request Forgery" 
(CSRF) attacks in general. However, this problem is not limited to Yapig, but 
affects a large number of comparable web applications available at this time.


Attempts to contact the authors were not successful until now, so there is no 
official solution available yet.


September 28, 2005: Attempt to contact Yapig developers via "natasab at 

October 5, 2005: Attempt to contact Yapig developers via Sourceforge bug 

October 13, 2005: Advisory submission.

Nenad Jovanovic
Secure Systems Lab 
Technical University of Vienna 