CVE-2017-16635 – TinyWebGallery XSS Vulnerability

TinyWebGallery v2.4 (TWGE) – Persistent XSS Vulnerability

The TinyWebGallery is a free php based gallery.

A persistent cross site scripting vulnerability has been discovered in the official TinyWebGallery v2.4 TWG Explorer web-application. The persistent vulnerability allows remote attackers to inject own malicious script code to the application-side of the vulnerable service.

The vulnerability is located in the `mkname`, `mkitem` and `item` parameters of the `Add/Create` module. Remote attackers with low  privilege user account for backend access are able to inject malicious script codes to the `TWG Explorer` item listing. The request
method to inject is POST and the attack vector is located on the application-side of the service. The injection point is the add/create input field and the execution point occurs in the item listing after the add or create.

The security risk of the cross site vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9.  Exploitation of the client-side web vulnerability requires a privileged web-application user account and only low user interaction.

Successful exploitation of the vulnerability results in non-persistent phishing, session hijacking, non-persistent external redirect  to malicious sources and client-side manipulation of affected or connected web module context.

The persistent vulnerability can be exploited by remote attackers with restricted privileged accounts and with low user interaction.

Resolution

Parse the input field to add files or folder. Restrict the input fields to filter and disallow the usage of special chars to prevent the injection point.

Escape the entries in case of emergency to prevent attacks in the backend against higher privilege admin accounts.

Parse the vulnerable output parameter in the listing module to resolve the issue.

Ensure that only trusted sources are allowed to add folders or files via file explorer module.