what you don't know can hurt you

Zoph 0.9.1 Cross Site Scripting / SQL Injection

Zoph 0.9.1 Cross Site Scripting / SQL Injection
Posted Nov 18, 2014
Authored by Manuel Garcia Cardenas

Zoph versions 0.9.1 and below suffer from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
MD5 | e090182024516a6e38347b0a96b7a609

Zoph 0.9.1 Cross Site Scripting / SQL Injection

Change Mirror Download
=============================================
MGC ALERT 2014-005
- Original release date: March 5, 2014
- Last revised: November 18, 2014
- Discovered by: Manuel Garcia Cardenas
- Severity: 10/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
Multiple Vulnerabilities in Zoph <= 0.9.1

II. BACKGROUND
-------------------------
Zoph (Zoph Organizes Photos) is a web based digital image presentation and
management system. In other words, a photo album. It is built with PHP,
MySQL and Perl.

III. DESCRIPTION
-------------------------
It is possible to inject SQL code in the variables "id" and "action" on the
pages group, photos and user. This bug was found using the portal with
authentication. To exploit the vulnerability only is needed use the version
1.0 of the HTTP protocol to interact with the application.
Has been detected a reflected XSS vulnerability in Zoph, that allows the
execution of arbitrary HTML/script code to be executed in the context of
the victim user's browser.

IV. PROOF OF CONCEPT
-------------------------
SQL Injection:

/zoph/php/group.php?_action=1'%22&_clear_crumbs=1
/zoph/php/photos.php?location_id=1'%22
/zoph/php/user.php?user_id=&_action=1'%22

Cross-Site Scripting GET:

/zoph/php/edit_photos.php?photographer_id=3"><script>alert(1)</script>
/zoph/php/edit_photos.php?album_id=2&_crumb=3"><script>alert(1)</script>

V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.

VI. SYSTEMS AFFECTED
-------------------------
Zoph <= 0.9.1

VII. SOLUTION
-------------------------
No news releases

VIII. REFERENCES
-------------------------
http://www.zoph.org/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
-------------------------
March 11, 2014 1: Initial release

XI. DISCLOSURE TIMELINE
-------------------------
March 5, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas
March 5, 2014 2: Send to vendor
June 17, 2014 3: Second mail to the verdor without response
November 18, 2014 4: Sent to lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    15 Files
  • 4
    Apr 4th
    5 Files
  • 5
    Apr 5th
    5 Files
  • 6
    Apr 6th
    27 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close