lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1104794399_9205@S4.cableone.net>
Date: Mon, 3 Jan 2005 17:09:47 -0600
From: "GulfTech Security" <security@...ftech.org>
To: <bugtraq@...urityfocus.com>, "OSVDB" <moderators@...db.org>,
	"Secunia Research" <vuln@...unia.com>
Subject: Multiple PhotoPost Pro Vulnerabilities




##########################################################
# GulfTech Security Research	         January 03, 2005
##########################################################
# Vendor  : All Enthusiast, Inc.
# URL     : http://www.photopost.com/class/
# Version : PhotoPost PHP 4.8.1 && Others
# Risk    : Multiple Vulnerabilities
##########################################################



Description:
PhotoPost was designed to help you give your users exactly 
what they want. Your users will be thrilled to finally be 
able to upload and display their photos for your entire 
community to view and discuss, all with no more effort than 
it takes to post a text message to a forum. If you already 
have a forum (vBulletin, UBB Threads, phpBB, DCForum, or 
InvisionBoard), you'll appreciate that PhotoPost was designed 
to seamlessly integrate into your site without the need for 
your users to register twice and maintain two logins. Where you 
see [INT] in this advisory, it represents an integer such as a 
valid category. [XSS] and [SQL] represent where an attacker could 
insert code to conduct a cross site scripting attack, or inject 
data to influence SQL queries.



Cross Site Scripting:
PhotoPost is prone to cross site scripting in several different 
scripts throughout the application. Below are examples:


http://path/showgallery.php?cat=[INT]&page=[XSS]
http://path/showgallery.php?si=[XSS]
http://path/showgallery.php?cat=[INT][XSS]
http://path/showgallery.php?ppuser=[INT]&cat=[INT][XSS]

This can be used to render hostile code in the context of the 
victims browser, or to steal cookie based credentials or other
sensitive info.



SQL Injection Vulnerabilities:
There are a substantial number of SQL Injection vulnerabilities in 
this application. Some are easy to exploit, others are not so easy.

http://path/showgallery.php?cat=[INT][SQL]
http://path/showgallery.php?ppuser=[INT][SQL]&cat=[INT]

These SQL issues can possibly be exploited to influence SQL queries 
and disclose arbitrary data. These will alse cause XSS if unsuccessful.



Proof Of Concept:
Due to the fact that some people feel the issues in this advisory and 
our last PhotoPost advisory were not accurate and unexploitable we have 
decided to include a proof of concept.

http://path/showgallery.php?ppuser=-2'%20UNION%20SELECT%200,email,
0,0,0,0,0,0%20FROM%20user%20WHERE%20userid='1&cat=500

The above example is relatively harmless, but will pull the private 
email address of a user. This could just as easily be an admin password 
hash. This works on all versions prior to recently released PhotoPost 4.86



Solution:
PhotoPost 4.86 has been released to address these issues. Users should
upgrade their installation as soon as possible.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00063-01032005



Credits:
James Bercegay of the GulfTech Security Research Team

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.6.7 - Release Date: 12/30/2004
 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ