####################################################################### Application: Gallery Vendors: http://gallery.sourceforge.net http://gallery.menalto.com Versions: <= 1.3.3 Platforms: Windows/Unix Bug: Cross Site Scripting Vulnerabillity Risk: Low Exploitation: Remote with browser Date: 30 Dec 2003 Author: Rafel Ivgi, The-Insider e-mail: the_insider@mail.com web: http://theinsider.deep-ice.com ####################################################################### 1) Introduction 2) Bug 3) The Code ####################################################################### =============== 1) Introduction =============== Gallery 1.3.3 is an automated php Gallery engine. It is quite secure, and very effective as a web gallery. ####################################################################### ====== 2) Bug ====== When the webserver hosting gallery 1.3.3 recieves a "GET /<galleryfolder>/search.php" it reffers to search.php as it should. However when searching "<script>alert('XSS')</script>" or requests "GET /<galleryfolder>/search.php?searchstring=<script>alert('XSS')</script>" the server allows an attacker so inject & execute scripts. ####################################################################### =========== 3) The Code =========== http://<host>/<galleryfolder>/search.php?searchstring=<script>alert('XSS')</ script> ####################################################################### --- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com "Things that are unlikeable, are NOT impossible."
