======================================================================

                       SecWatch 16/08/2005

         Mig Remote Cross-Site Scripting and Information
                   Disclosure Vulnerabilities 

======================================================================
Table of Contents

Product Introduction.................................................1
Affected ............................................................2
Severity.............................................................3
Description of Vulnerability.........................................4
Proof of Concept.....................................................5
Solution.............................................................6
Workaround...........................................................7
Time Line............................................................8
Credits..............................................................9

======================================================================
1) Introduction

Homepage: http://mig.sourceforge.net/
Overview: Mig (aka "My Image Gallery") is a photo album / image gallery management system.
Advisory: http://secwatch.org/advisories/secwatch/20050813_Mig.txt
SWID: 1011412

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2603
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2604
http://sourceforge.net/project/shownotes.php?release_id=349348
http://secwatch.org/advisories/1011412
http://osvdb.org/displayvuln.php?osvdb_id=18741
http://osvdb.org/displayvuln.php?osvdb_id=18742
http://www.securityfocus.com/bid/14570
http://www.frsirt.com/english/advisories/2005/1432
http://secunia.com/advisories/16405/


======================================================================
2) Affected

Mig version 1.4.1

Prior versions may also be affected.

======================================================================
3) Severity

Rating: Less Critical
Impact: Exposure of system information
        Manipulation of data
        Cross Site Scripting	
Where:  From remote
Action: Public disclosure

======================================================================
4) Description of Vulnerabilities

Multiple input validation vulnerabilities in Mig have been reported, which can be exploited by remote users to conduct cross-site scripting attacks and disclose the installation path.

User-supplied input passed to the "currDir" and "image" parameters is not correctly sanitised before being returned to the browser. This can be exploited to execute arbitrary script code in the security context of an affected website, as a result the code will be able to access any of the target user's cookies, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can also submit a specially crafted parameter to the "image" parameter to disclose the installation path.

======================================================================
5) Proof of Concept

Cross-Site Scripting:
http://[target]/[path]/index.php?currDir=./<script>alert(document.cookie)</script>
http://[target]/[path]/index.php?currDir=./test&pageType=image&image=<script>alert(document.cookie)</script>

Information Disclosure:
http://[target]/[path]/index.php?currDir=./test&pageType=image&image=/

======================================================================
6) Solution

The vulnerabilities have been fixed in version 1.5.0, available:
http://sourceforge.net/project/showfiles.php?group_id=24365

Edit source manually to ensure user-supplied input is correctly sanitised.

Filter malicious characters and character sequences via a HTTP proxy or firewall with URL filtering capabilities.

Production systems should not return errors to clients.

======================================================================
7) Workaround

Change line ~288 of "index.php" from:
    $currDir = rawurldecode($enc_currdir);
To:
    $currDir = htmlentities(rawurldecode($enc_currdir));
    
    
Change line ~3747 of "index.php" from:
$mig_config['image'] = $image;

To:
$mig_config['image'] = htmlentities($image);
    
    
Change lines ~2519 of "index.php" from:
                if ($mig_config['pagetype'] == 'image') {
                    $imageProps = GetImageSize($mig_config['albumdir']."/$currDir/"
                                               .$mig_config['image']);
To:
                if(!is_file($mig_config['albumdir']."/$currDir/".$mig_config['image'])) die("ERROR: Image file does not exist!");
                    $imageProps = GetImageSize($mig_config['albumdir']."/$currDir/"
                                               .$mig_config['image']);

======================================================================
8) Time Line
12/08/2005 - Infomation reported to SecWatch.
13/08/2005 - Information validated by SecWatch.
             Vendor notified with suggested workarounds.
15/08/2005 - Vendor response acknowledging vulnerabilities.
16/08/2005 - Fixed version 1.5.0 released addressing issues.
             Fixed version tested, advisory released.

======================================================================
9) Credits
Discovered by an anonymous person, reported via SecWatch.