Twenty Year Anniversary

PhotoPost.txt

PhotoPost.txt
Posted Jan 5, 2005
Authored by James Bercegay | Site gulftech.org

GulfTech Security Research - PhotoPost PHP versions 4.8.6 and below suffer from cross site scripting and SQL injection flaws. Sample exploitation given.

tags | exploit, php, xss, sql injection
MD5 | a8252c4a7a9a930d42220a299a3a2a0f

PhotoPost.txt

Change Mirror Download


##########################################################
# GulfTech Security Research January 03, 2005
##########################################################
# Vendor : All Enthusiast, Inc.
# URL : http://www.photopost.com/class/
# Version : PhotoPost PHP 4.8.1 && Others
# Risk : Multiple Vulnerabilities
##########################################################



Description:
PhotoPost was designed to help you give your users exactly
what they want. Your users will be thrilled to finally be
able to upload and display their photos for your entire
community to view and discuss, all with no more effort than
it takes to post a text message to a forum. If you already
have a forum (vBulletin, UBB Threads, phpBB, DCForum, or
InvisionBoard), you'll appreciate that PhotoPost was designed
to seamlessly integrate into your site without the need for
your users to register twice and maintain two logins. Where you
see [INT] in this advisory, it represents an integer such as a
valid category. [XSS] and [SQL] represent where an attacker could
insert code to conduct a cross site scripting attack, or inject
data to influence SQL queries.



Cross Site Scripting:
PhotoPost is prone to cross site scripting in several different
scripts throughout the application. Below are examples:


http://path/showgallery.php?cat=[INT]&page=[XSS]
http://path/showgallery.php?si=[XSS]
http://path/showgallery.php?cat=[INT][XSS]
http://path/showgallery.php?ppuser=[INT]&cat=[INT][XSS]

This can be used to render hostile code in the context of the
victims browser, or to steal cookie based credentials or other
sensitive info.



SQL Injection Vulnerabilities:
There are a substantial number of SQL Injection vulnerabilities in
this application. Some are easy to exploit, others are not so easy.

http://path/showgallery.php?cat=[INT][SQL]
http://path/showgallery.php?ppuser=[INT][SQL]&cat=[INT]

These SQL issues can possibly be exploited to influence SQL queries
and disclose arbitrary data. These will alse cause XSS if unsuccessful.



Proof Of Concept:
Due to the fact that some people feel the issues in this advisory and
our last PhotoPost advisory were not accurate and unexploitable we have
decided to include a proof of concept.

http://path/showgallery.php?ppuser=-2'%20UNION%20SELECT%200,email,
0,0,0,0,0,0%20FROM%20user%20WHERE%20userid='1&cat=500

The above example is relatively harmless, but will pull the private
email address of a user. This could just as easily be an admin password
hash. This works on all versions prior to recently released PhotoPost 4.86



Solution:
PhotoPost 4.86 has been released to address these issues. Users should
upgrade their installation as soon as possible.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00063-01032005



Credits:
James Bercegay of the GulfTech Security Research Team

--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.6.7 - Release Date: 12/30/2004


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

April 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    5 Files
  • 2
    Apr 2nd
    17 Files
  • 3
    Apr 3rd
    11 Files
  • 4
    Apr 4th
    21 Files
  • 5
    Apr 5th
    17 Files
  • 6
    Apr 6th
    12 Files
  • 7
    Apr 7th
    1 Files
  • 8
    Apr 8th
    6 Files
  • 9
    Apr 9th
    21 Files
  • 10
    Apr 10th
    18 Files
  • 11
    Apr 11th
    42 Files
  • 12
    Apr 12th
    7 Files
  • 13
    Apr 13th
    14 Files
  • 14
    Apr 14th
    1 Files
  • 15
    Apr 15th
    1 Files
  • 16
    Apr 16th
    15 Files
  • 17
    Apr 17th
    20 Files
  • 18
    Apr 18th
    24 Files
  • 19
    Apr 19th
    20 Files
  • 20
    Apr 20th
    2 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close