Информационная безопасность
[RU] switch to English


Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  Aurora WebOPAC SQL Injection - Security Advisory - SOS-12-004

  Brute Force и XSS уязвимости в Webglimpse

  Vulnerability Description: XSS-(CROSS SITE SCRIPTING VULNERABILITIES) (ZAPHOD BREEBLEBROX'S BLOCKER A.K.A. ZB BLOCK)

  phpMyVisites 2.4_XSS

From:henri_(at)_nerv.fi <henri_(at)_nerv.fi>
Date:19 марта 2012 г.
Subject:Case YVS Image Gallery

http://osvdb.org/show/osvdb/79477

The software "YVS Image Gallery" seems to be full of security issues. For example one can have lots of fun with this. Copy from installation.php:

"""
   case(isset($_POST['db_name'])):

       $host = $_POST['host'];
       $db_name = $_POST['db_name'];
       $db_user_name = $_POST['db_user_name'];
       $db_password = $_POST['db_password'];

       $admin_name = $_POST['admin_name'];
       $admin_password = $_POST['admin_password'];

       $o_host = $_POST['o_host'];
       $o_db_name = $_POST['o_db_name'];
       $o_db_user_name = $_POST['o_db_user_name'];
       $o_db_password = $_POST['o_db_password'];

       //read in the file
       $file = "../functions/db_connect.php";
       $fh = fopen($file, 'r+');
       $contents = fread($fh, filesize($file));

       //set up the text to change
       $text_to_change = array();
       $new_text = array();

       $text_to_change[] = '$dbhost="'.$o_host.'"';
       $text_to_change[] = '$dbuser="'.$o_db_user_name.'"';
       $text_to_change[] = '$dbpass="'.$o_db_password.'"';
       $text_to_change[] = '$dbname="'.$o_db_name.'"';

       $new_text[] = '$dbhost="'.$host.'"';
       $new_text[] = '$dbuser="'.$db_user_name.'"';
       $new_text[] = '$dbpass="'.$db_password.'"';
       $new_text[] = '$dbname="'.$db_name.'"';

       $new_contents = str_replace($text_to_change, $new_text, $contents);
       fclose($fh);

       // Open file to write
       $fh = fopen($file, 'r+');
       fwrite($fh, $new_contents);
       fclose($fh);

       //set up new admin user

       include '../functions/db_connect.php';

       db_connect();
"""

I'll bet this software is not used much, but I can list all problems I can find if we want to assign CVE-identifiers to cases like these. No contact information of developer found. Any ideas how to get these fixed or get the code out of internet. The package is also hosted in here: http://www.hotscripts.com/listing/yvs-image-gallery/ (and probably others).

- Henri Salo

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород