########################################################## # GulfTech Security Research January 03, 2005 ########################################################## # Vendor : All Enthusiast, Inc. # URL : http://www.photopost.com/class/ # Version : PhotoPost PHP 4.8.1 && Others # Risk : Multiple Vulnerabilities ########################################################## Description: PhotoPost was designed to help you give your users exactly what they want. Your users will be thrilled to finally be able to upload and display their photos for your entire community to view and discuss, all with no more effort than it takes to post a text message to a forum. If you already have a forum (vBulletin, UBB Threads, phpBB, DCForum, or InvisionBoard), you'll appreciate that PhotoPost was designed to seamlessly integrate into your site without the need for your users to register twice and maintain two logins. Where you see [INT] in this advisory, it represents an integer such as a valid category. [XSS] and [SQL] represent where an attacker could insert code to conduct a cross site scripting attack, or inject data to influence SQL queries. Cross Site Scripting: PhotoPost is prone to cross site scripting in several different scripts throughout the application. Below are examples: http://path/showgallery.php?cat=[INT]&page=[XSS] http://path/showgallery.php?si=[XSS] http://path/showgallery.php?cat=[INT][XSS] http://path/showgallery.php?ppuser=[INT]&cat=[INT][XSS] This can be used to render hostile code in the context of the victims browser, or to steal cookie based credentials or other sensitive info. SQL Injection Vulnerabilities: There are a substantial number of SQL Injection vulnerabilities in this application. Some are easy to exploit, others are not so easy. http://path/showgallery.php?cat=[INT][SQL] http://path/showgallery.php?ppuser=[INT][SQL]&cat=[INT] These SQL issues can possibly be exploited to influence SQL queries and disclose arbitrary data. These will alse cause XSS if unsuccessful. Proof Of Concept: Due to the fact that some people feel the issues in this advisory and our last PhotoPost advisory were not accurate and unexploitable we have decided to include a proof of concept. http://path/showgallery.php?ppuser=-2'%20UNION%20SELECT%200,email, 0,0,0,0,0,0%20FROM%20user%20WHERE%20userid='1&cat=500 The above example is relatively harmless, but will pull the private email address of a user. This could just as easily be an admin password hash. This works on all versions prior to recently released PhotoPost 4.86 Solution: PhotoPost 4.86 has been released to address these issues. Users should upgrade their installation as soon as possible. Related Info: The original advisory can be found at the following location http://www.gulftech.org/?node=research&article_id=00063-01032005 Credits: James Bercegay of the GulfTech Security Research Team -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.6.7 - Release Date: 12/30/2004