Secunia Research: Ansel "image" SQL Injection and Script Insertion Vulnerabilities

======================================================================

                     Secunia Research 06/12/2004

 - Ansel "image" SQL Injection and Script Insertion Vulnerabilities -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

Ansel 2.1 and potentially other versions.

======================================================================
2) Severity

Rating: Moderately critical
Impact: Manipulation of data, Cross Site Scripting
Where:  Remote

======================================================================
3) Vendor's Description of Software

Ansel is a picture gallery for web sites. It is a high quality, 
information-rich photo gallery, designed to handle large numbers of 
images and albums. It stores all its images in a database, making it 
both fast and flexible. Ansel is similar in spirit to Shutterfly and 
Yahoo pictures, but does not place restrictions on image size.

Product link:
http://freshmeat.net/projects/ansel/

======================================================================
4) Description of Vulnerability

Secunia Research has discovered some vulnerabilities in Ansel, which 
can be exploited by malicious people to conduct SQL injection and 
script insertion attacks.

1) Ansel fails to verify input passed to the "image" parameter 
properly before it is used in a SQL query. This can be exploited to 
manipulate SQL queries by injecting arbitrary SQL code.

2) Input passed to the album name field is not properly sanitised 
before being used. This can be exploited to inject arbitrary HTML and 
script code, which will be executed in a user's browser session in 
context of an affected site when the main page or a malicious album is 
viewed.

The vulnerabilities have been confirmed on version 2.1. Other versions 
may also be affected.

======================================================================
5) Solution

Update to version 2.2:
ftp://heron.sdsc.edu/pub/ansel-2.2.tar.gz

======================================================================
6) Time Table

12/11/2004 - Vulnerability discovered.
17/11/2004 - Vendor notified.
28/11/2004 - Vendor confirms vulnerabilities.
06/12/2004 - Public disclosure.

======================================================================
7) Credits

Discovered by Secunia Research.

======================================================================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2004-17/advisory/

======================================================================