SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   PhotoPost PHP Pro Vendors:   All Enthusiast, Inc.
PhotoPost PHP Pro Has Multiple Input Validation Holes That Let Remote Users Inject SQL Commands and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1009571
SecurityTracker URL:  http://securitytracker.com/id/1009571
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 29 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.6 and prior versions
Description:   Some input validation vulnerabilities were reported in PhotoPost PHP Pro. A remote user can inject SQL commands and conduct cross-site scripting attacks.

JeiAr of the GulfTech Security Research Team reported that several scripts do not properly validate user-supplied input. A remote user can supply a specially crafted URL to inject SQL commands to be executed by the underlying database. Some demonstration exploit URLs are provided:

addfav.php?photo=[SQL]
comments.php?photo=[SQL]
comments.php?photo=1&cedit=[SQL]
index.php?cat=[SQL]
showgallery.php?ppuser=[SQL]
showgallery.php?cat=[SQL]
uploadphoto.php?cat=[SQL]
useralbums.php?ppaction=delalbum&albumid=[SQL]
useralbums.php?ppaction=editalbum&albumid=[SQL]

It is also reported that the software does not filter HTML code from user-supplied input in the photo names, photo descriptions, album names, and album descriptions. A remote user can submit specially crafted content in those fields, Then, when an administrator views the input to approve the photo, arbitrary scripting code will be executed by the target administrator's browser. The code will originate from the site running the vulnerable software and will run in the security context of that site. As a result, the code will be able to access the target administrator's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.

Other fields also let remote users conduct cross-site scripting attacks. Some demonstration exploit URLs are provided:

showmembers.php?cat=1&si=&page=7&sort=7&perpage=12&ppuser=10[XSS]
showmembers.php?cat=1&si=&page=7&sort=7&perpage=12&password=[XSS]
showmembers.php?cat=1&si=&page=7&sort=7&perpage=12&stype=1[XSS]
showmembers.php?cat=1&si=&page=7&sort=7&perpage=1[XSS]
showmembers.php?cat=1&si=&page=7&sort=1[XSS]
showmembers.php?cat=1&si=&page=1[XSS]
showmembers.php?cat=1&si=1[XSS]
showmembers.php?cat=1[XSS]

The original advisory is available at:

http://www.gulftech.org/03282004.php

Impact:   A remote user can inject SQL commands to be executed on the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the vulnerable software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   The report indicates that "most" of these vulnerabilities are not present in version 4.7.
Vendor URL:  www.photopost.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  http://www.gulftech.org/03282004.php


http://www.gulftech.org/03282004.php

PhotoPost PHP Pro Multiple Vulnerabilities  March 28, 2004


Vendor : All Enthusiast, Inc.
URL : http://www.photopost.com
Version : PhotoPost PHP Pro 4.6.x && Earlier
Risk : Multiple Vulnerabilities


Description:
PhotoPost was designed to help you give your users exactly what they want. Your users will 
be thrilled to finally be able to upload and display their photos for your entire 
community to view and discuss, all with no more effort than it takes to post a text 
message to a forum. If you already have a forum (vBulletin, UBB Threads, phpBB, DCForum, 
or InvisionBoard), you'll appreciate that PhotoPost was designed to seamlessly integrate 
into your site without the need for your users to register twice and maintain two logins.


SQL Injection Vulnerabilities:
There are a large number of possibilities for SQL Injection in Photo Post. The most 
important thing to remember here is that this app ties directly into the affected 
website's forum system. So the aim of any smart attacker would be to try and use the 
vulnerabilities in this app to gain control of a forum by grabbing member password hashes. 
Below are example url's.

addfav.php?photo=[SQL]
comments.php?photo=[SQL]
comments.php?photo=1&cedit=[SQL]
index.php?cat=[SQL]
showgallery.php?ppuser=[SQL]
showgallery.php?cat=[SQL]
uploadphoto.php?cat=[SQL]
useralbums.php?ppaction=delalbum&albumid=[SQL]
useralbums.php?ppaction=editalbum&albumid=[SQL]

I have not released any POC exploit for these issues, because like I said before the real 
danger in these holes is the fact they can be used to act against an installed forum 
system or other info in the database, and this varies GREATLY on each Photo Post 
installation depending on what forum is installed, and the table prefix's etc etc. A 
google search returned over a half of a million websites running Photo Post, so you can 
imagine the number of possibilities of the environment varying.


Script Injection:
A malicious user can inject script and html into several fields in Photo Post. The dangers 
of this is it allows an attacker to run arbitrary code in the context of the browser on 
any user that visits their album. Also, it can be used to run admin commands and the like 
by injecting script or html into a photo description that is awaiting approval by an 
admin. When the admin views the photo to be approved the code is then executed. Some 
examples of where this can take place is in photo names, photo descriptions, album names, 
and album descriptions.


Cross Site Scripting:
There are a number of Cross Site Scripting issues present in Photo Post. And as previously 
mentioned the danger of it being used against the forum which it resides are also a very 
real threat. Below are a list of the XSS issues in showmembers.php, but it is also worth 
noting that any of the SQL Injection vulns previously mentioned can also be used for XSS 
if Injection cannot be successfully used.

showmembers.php?cat=1&si=&page=7&sort=7&perpage=12&ppuser=10[XSS]
showmembers.php?cat=1&si=&page=7&sort=7&perpage=12&password=[XSS]
showmembers.php?cat=1&si=&page=7&sort=7&perpage=12&stype=1[XSS]
showmembers.php?cat=1&si=&page=7&sort=7&perpage=1[XSS]
showmembers.php?cat=1&si=&page=7&sort=1[XSS]
showmembers.php?cat=1&si=&page=1[XSS]
showmembers.php?cat=1&si=1[XSS]
showmembers.php?cat=1[XSS]

Any of these XSS issues can be used to possibly steal cookies from the forum which Photo 
Post resides, run code in a users browser and more.


Denial of Service:
PhotoPost is prone to a denial of service attack that can allow an attacker to send a user 
(logged in or not) a malicious link that will result in the user not being able to gain 
access to the PhotoPost installation until they clear their cookies.

showmembers.php?perpage="><script>var%20i=1;%20while(i){alert(i);};</script>

This is possible because the "perpage" variable resides in the users cookie. Like I said 
before a user does not have to be logged in for this to happen.


Solution:
The vendor was contacted. Most of these issues do not seem to be present in 4.7 though. 
Users are encouraged to upgrade ASAP.


Credits:
Credits go to JeiAr of the GulfTech Security Research Team.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC