[UNIX] PhotoPost PHP Pro Multiple Vulnerabilities

• Previous message: SecuriTeam: "[EXPL] Ethereal IGAP Dissector Message Overflow Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 30 Mar 2004 18:54:00 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  PhotoPost PHP Pro Multiple Vulnerabilities
------------------------------------------------------------------------

SUMMARY

 <http://www.photopost.com/> PhotoPost PHP Pro "lets your users upload and
discuss photos in galleries that you create as well as public and private
albums that they create, and it integrates seamlessly into your current
site design."

PhotoPost PHP Pro suffers from multiple SQL injection, cross-site
scripting and denial of service vulnerabilities.

DETAILS

Vulnerable Systems:
 * PhotoPost PHP Pro version 4.6.x and prior

Immune Systems:
 * PhotoPost PHP Pro version 4.7

SQL Injection Vulnerabilities
There are plenty of SQL injection vulnerabilities in PhotoPost PHP Pro.
What makes them so dangerous is the fact that PhotoPost integrates with
other forum software such as vBulletin, phpBB, etc. This way, an SQL
injection can give an attack usernames and password hashes. Examples of
SQL injections can be seen below:
addfav.php?photo=[SQL]
comments.php?photo=[SQL]
comments.php?photo=1&cedit=[SQL]
index.php?cat=[SQL]
showgallery.php?ppuser=[SQL]
showgallery.php?cat=[SQL]
uploadphoto.php?cat=[SQL]
useralbums.php?ppaction=delalbum&albumid=[SQL]
useralbums.php?ppaction=editalbum&albumid=[SQL]

Depending on the forum and the table names, SQL statements can be used to
disclose information from the database. However, since the names are
different per forum, no elaborate examples are presented.

Script Injection
In several locations it is possible to inject malicious script code that
will get executed in the context of the user's browser. Injecting
malicious HTML of script code into a photo description that is awaiting
approval by the admin will enable executing of admin commands. The issue
is not confined to photo descriptions but is valid for photo names, album
names and album descriptions as well.

Cross-site Scripting
Several XSS bugs exist in PhotoPost. Several of them exist in
showmembers.php and are shown here:
showmembers.php?cat=1&si=&page=7&sort=7&perpage=12&ppuser=10[XSS]
showmembers.php?cat=1&si=&page=7&sort=7&perpage=12&password=[XSS]
showmembers.php?cat=1&si=&page=7&sort=7&perpage=12&stype=1[XSS]
showmembers.php?cat=1&si=&page=7&sort=7&perpage=1[XSS]
showmembers.php?cat=1&si=&page=7&sort=1[XSS]
showmembers.php?cat=1&si=&page=1[XSS]
showmembers.php?cat=1&si=1[XSS]
showmembers.php?cat=1[XSS]

In any case, all SQL injection vulnerabilities can also be used as a means
for performing a cross-site scripting attack.

Denial of Service
PhotoPost is prone to a denial of service condition which allows an
attacker to send a user (logged on or not) a link that would render their
ability to access the forum non-existent until they delete their cookies:
showmembers.php?perpage="><scr!pt>var%20i=1;%20while(i){alert(i);};</scr!pt>

This is only possible because the 'perpage' variable resides inside the
user's cookie. However, it makes little different whether the user is
logged on or not.

Vendor Status:
The vendor has been contacted. Upgrade to version 4.7 to mitigate the
vulnerabilities.

ADDITIONAL INFORMATION

The information has been provided by <mailto:security@gulftech.org> JeiAr
of GulfTech Security Research Team.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] Ethereal IGAP Dissector Message Overflow Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]