Rayzz Photoz - Arbitrary File Upload

EDB-ID:

13772

CVE:

N/A




Platform:

PHP

Date:

2010-06-08


==========================================================
          Rayzz Photoz Upload Vulnerability  
==========================================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : Inj3ct0r.com                                  0
1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
0                                                                      0
1               ##########################################             1
0               I'm Sid3^effects member from Inj3ct0r Team             1
1               ##########################################             0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Name : Rayzz Photoz Upload Vulnerability 
Date : june, 8 2010
Vendor url :http://www.rayzz.net/product-photoz/
Price: $197.00
Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
special thanks to : r0073r (inj3ct0r.com),MaYur,LiquidWorm,gunslinger_
greetz to :All ICW members.

###############################################################################################################
Description:

Rayzz Photoz is a photo and image sharing platform which enables your users to upload photo albums and portfolios to be showcased on your website. Websites like Facebook and Flickr have been built on the back of people uploading their photos and sharing them with their friends and there is still a huge hungry market for people wanting to share images and portfolios to gain more exposure for their work.

With incredible features like mass uploading, importing from other websites, geo-location (using Google maps), tagging, albums and paid memberships, Photoz is everything you require in a photo and image sharing solution.

Photoz also integrates a social networking element where your members can make friends, communicate and keep up to date with what each one is doing, such as seeing which images they like, new albums that they have created and sending messages to each other.

Incredibly easy to use, powerful and scaleable, you can make waves in the photo and image sharing market.

###############################################################################################################
Xploit: Upload Vulnerability

STEP 1 : REgister as a user :)

STEP 2 : goto any member's profile and in the "ADD SCRAP" option

STEP 3 : Just post your evil script code in the scrap 

STEP 4 : voila your script is executed :) 

STEP 5 : now r00t the box

###############################################################################################################
# 0day no more 
#Sid#^effects