Exploit the possiblities

PhotoPost PHP 4.8c Cross Site Scripting

PhotoPost PHP 4.8c Cross Site Scripting
Posted Jul 31, 2015
Authored by Jing Wang

PhotoPost PHP version 4.8c suffers from a cross site scripting vulnerability.

tags | exploit, php, xss
MD5 | 301e5fb3aa8757fb77b5df6feb8881b7

PhotoPost PHP 4.8c Cross Site Scripting

Change Mirror Download
PhotoPost PHP 4.8c Cookie Based Stored XSS (Cross-site Scripting) Web
Application 0-Day Bug



Exploit Title: PhotoPost PHP __utmz Cookie Stored XSS Web Security
Vulnerability
Product: PhotoPost PHP
Vendor: PhotoPost
Vulnerable Versions: 4.8c 4.8.6 4.8.5 4.8.2 3.1.1 vB3
Tested Version: 4.8c vB3
Advisory Publication: July 25, 2015
Latest Update: July 28, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Discover and Reporter: Wang Jing [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
(@justqdjing)






*Caution Details:*


*(1) Vendor & Product Description:*


*Vendor:*
PhotoPost



*Product & Vulnerable Versions:*
PhotoPost PHP
4.8c 4.8.6 4.8.5 4.8.2 3.1.1 vB3



*Vendor URL & Download:*
Product can be obtained from here,
http://www.photopost.com/featuresphp.html




*Product Introduction Overview:*
"Your search to find the best photo gallery has led you to the most feature
rich, best performing, and most widely used gallery available today.
PhotoPost is the best way to offer your users the ability to upload, show
off, share, discuss, and rate photos and videos on your site. We originally
created PhotoPost in 2001 for TechIMO.com, our parent company's own tech
discussion website with 2 Million forum posts and 200,000 users, and within
weeks we were inundated with requests, so we decided to develop it into a
product. Over the past 8 years, PhotoPost has undergone more than 100 "dot"
updates by a team of expert developers to add features, tweak performance,
and maximize stability. Always in high demand, PhotoPost has been purchased
by a staggering 14,500 websites. PhotoPost is most popular amongst
vBulletin forum owners. That's because we designed PhotoPost from the
beginning to integrate efficiently with a website's existing vBulletin
forum, offering users one integrated login and registration instead of two,
stylesheet integration, and other enhancements. But what PhotoPost does
well for vBulletin owners, it does equally well for those that wish to
integrate a gallery with many other forum types, or to simply add a photo
gallery to their website with no forum at all. "










*(2) Vulnerability Details:*
PhotoPost PHP web application has a computer security problem. Hackers can
exploit it by XSS cyber attacks. This may allow a remote attacker to create
a specially crafted request that would execute arbitrary script code in a
user's browser session within the trust relationship between their browser
and the server.

Several other similar products 0-day vulnerabilities have been found by
some other bug hunter researchers before. PhotoPost PHP has patched some of
them. CXSECurity is a huge collection of information on data communications
safety. Its main objective is to inform about errors in various
applications. It also publishes suggestions, advisories, solutions details
related to XSS vulnerabilities and cyber intelligence recommendations.



*(2.1) *The code flaw occurs at "|utmcct" parameter in "__utmz" cookie.


For example, if a victim clicks the link below.
http://localhost/gallery/showphoto.php/photo/846/sort/
'"><marquee><h1>test</h1></marquee><svg/onload=prompt(/tetraph/)>


The content of "__utmz" cookie will be the following:
__utma 194200300.1295483682.1438243020.1438243020.1438245659.2
__utmc 194200300
__utmz 194200300.1438243020.1.1.utmccn=(referral)|utmcsr=mgs-on-track.com
|utmcct=/gallery/showphoto.php/photo/846/sort/1%27%22%3E%3Cimg%20src=x%20onerror=alert%28%27tetraph%27%29%3E%3Cmarquee%3E%3Ch1%3Etest%3C/h1%3E%3C/marquee%3E|utmcmd=referral
__qca P0-814178849-1438243024810
__utmb 194200300
bbsessionhash 1683dd3bd3edffbd8383db382f025eba
bblastvisit 1438246612


So the malicious code can work in the user's browser for long time.





*(2.2) Forum Integrations*
"PhotoPost can optionally integrate as an add-on to an existing forum on
your site, and we do this extremely well. PhotoPost is a perfect fit with a
forum, because sharing and discussing photos within PhotoPost comes
naturally for a forum community.

With our forum integration, your users will use their existing forum
account to login to PhotoPost, without needing to register again and
maintain a separate account. Additionally, we offer stylesheet integrations
with several forums to easily setup your PhotoPost gallery to match your
forum's look and feel, and with vBulletin 3.x we offer several additional
enhancements."

Forum Software User Login Stylesheets Enhanced*
vBulletin 5.x
vBulletin 4.x
vBulletin 3.x
Xenforo 1.x
UBBThreads 6.X
UBBThreads 7.X
InvisionBoard 1.0
InvisionBoard 2.0
InvisionBoard 3.0
FusionBB
MyBB 1.0
SMF 1.05 and up
SMF 2.0 and up
WowBB
e107
PHPBB 2.0
PHPBB 3.0
Wordpress 3.x
vBulletin 2.x
DCForums +
IkonBoard
Nuke
PostNuke
Mambo
XMB Forums

(Src:
http://www.photopost.com/sites_frame.pl?http://www.photopost.com/photopost/adm-index.php
)









*References:*
http://tetraph.com/security/xss-vulnerability/photopost-php/
http://securityrelated.blogspot.com/2015/07/photopost-php-48c-cookie-based-stored.html
https://progressive-comp.com/?l=full-disclosure&m=142649827629327&w=1
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01901.html
https://vulnerabilitypost.wordpress.com/2015/07/27/photopost-php/
http://tetraph.blog.163.com/blog/static/234603051201563055350773/
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1817
http://www.inzeed.com/kaleidoscope/xss-vulnerability/rakuten-website-xss/
http://seclists.org/fulldisclosure/2015/Mar/56
http://lists.openwall.net/full-disclosure/2015/03/07/4







--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    15 Files
  • 15
    Dec 15th
    28 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close