Title:
======
Private Photos v1.0 iOS - Persistent Path Web Vulnerability


Date:
=====
2013-07-25


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1034


VL-ID:
=====
1034


Common Vulnerability Scoring System:
====================================
3.5


Introduction:
=============
You must have some private photos you don`t want others peeping. Private photos is the perfect app to keep 
your private photos safely in your iPad. Photos are protected by a password and you won`t worry your privacy 
when friends playing your iPad.

Now you can enjoy your private photos anytime, anywhere with your iPad. The built-in viewer can zoom in, 
zoom out, and slideshow photos, just like the experience with the native photos app.

Highlighted features:
- One password protection for photos viewing and transferring
- Web access via WIFI
- Multiple photos transferring
- Multi-touch support: swipe, zoom
- Slide show

Transferring your photos to the app is simple. You can easily access your private photos via WIFI from 
desktop/laptop`s web browser (Make sure your desktop/laptop is in the same WIFI network as your iPad). 
When connected to your iPad from web browser, you can select and transfer multiple photos with one click. 
The transferring is also protected by the same password.

(Copy of the Homepage: https://itunes.apple.com/de/app/my-private-photos/id427134970 )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered 2 persistent web vulnerabilities in the Private Photos v1.0 application (Apple iOS - iPad & iPhone).


Report-Timeline:
================
2013-07-25:    Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Apple AppStore
Product: Private Photos 1.0


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
A persistent input validation web vulnerability is detected  in the Private Photos v1.0 application (Apple iOS - iPad & iPhone).
The bug allows an attacker (remote) to implement/inject malicious own malicious persistent script codes (application side).

The vulnerability is located in the `Add Directory` module of the web-server (http://localhost:8080) when processing to 
request via POST method manipulated `folder-names`. The folder name will be changed to the path value without secure filter, 
encode or parse. The injected script code will be executed in the path listing were the attacker injected earlier the code 
and of course also in the index listing of the mobile web application.

There is a security protection to filter single and double quotes. When processing to inject the code a messagebox pops up 
with the illegal characters exception. To bypass the exception the remote attacker can use simple obfuscated strings, embed code 
or html/js script codes (frames, scripts, img, embed and co.) without single & double quotes.

Exploitation of the persistent web vulnerability requires low user interaction and a local low privilege mobile application account 
with a password. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal 
via persistent web attacks, persistent phishing or persistent module context manipulation.

Vulnerable Application(s):
        [+] Private Photos v1.0 - ITunes or AppStore (Apple)

Vulnerable Module(s):
        [+] Add Directory

Vulnerable Parameter(s):
        [+] path (DIRECTORYNAME)

Affected Module(s):
        [+] Index Listing
        [+] Path/Folder Listing


Proof of Concept:
=================
The persistent input validation web vulnerability can be exploited by remote attackers with low privilege application user account 
and low or medium required user interaction. For demonstration or reproduce ...

PoC: Add Directory

<strong style="position:absolute; color:#226ebc; left:12px; top:0px; font-size:20px;">Private Photos</strong>
<div style="position:absolute; font-size:15px; color:#444; right:12px; top:20px; font-size:15px; line-height:24px; 
text-align:right; width:360px;"><strong style="color:#F30;">The free version only allows 100 photos!</strong>
<br><strong>Get the full verison in <a href="http://itunes.apple.com/app/id427134970?mt=8" style="color:#F60;" 
target="_blank">App Store</a></strong></div></div> 

<div class="topbar_2" style="color:#FFC;">
<span style="position:absolute; right:10px;"><a href="javascript:addFolder();">
Add Directory</a>  |  <a id="AllSelect" href="javascript:selectAll()">Select All</a>
  |  <a href="javascript:if(confirm('Are%20you%20sure%20to%20delete?'))delPhoto();" 
id="del" style="color:#F30;">Delete</a></span>
<span style="position:absolute; left:10px;">Photos/ ><[PERSISTENT INJECTED SCRIPT CODE VIA ADD DIRECTORY NAME]">/
 &nbsp;&nbsp; <a href="javascript:window.location.href='..'" 
style="color:#F60"> <<Up 
Level</a></span><span id="photoCount"></span>

Note: The application will attach the injected payload to the main server as folder/path name. example: http://localhost:8080/[payload]<


Solution:
=========
The vulnerability can be patched by a restriction of the foldername input and a secure encoding of the input.
The output location of the foldername and path needs to be filtered and encoded by a secure mechanism.


Risk:
=====
The security risk of the persistent script code inject web vulnerability is estimated as medium.


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com     - www.vuln-lab.com             - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com   - research@vulnerability-lab.com          - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev   - forum.vulnerability-db.com            - magazine.vulnerability-db.com
Social:      twitter.com/#!/vuln_lab     - facebook.com/VulnerabilityLab          - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php  - vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

        Copyright © 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com