Zenphoto 1.4.5.4 SQL Injection

2013.12.30

Credit: Henri Salo

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

Can I get CVEs for following issues in Zenphoto, thanks.

Advisory: http://www.enkomio.com/Advisory/SOJOBO-ADV-13-01
http://seclists.org/bugtraq/2013/Oct/20
Advisory ID: SOJOBO-ADV-13-01
Vendor news: http://www.zenphoto.org/news/zenphoto-1.4.5.4

http://osvdb.org/98091
http://osvdb.org/98092

"""
A) Cross Site Scripting in mergedRSS.php [Impact: 3/5]

Follow a trace to reach the vulnerable code.

File: zp-core\zp-extensions\mergedRSS.php
43: $MergedRSS = new MergedRSS($feeds,
strip_tags(get_language_string($gallery->getTitle(), $locale)), FULLWEBPATH, 
strip_tags(get_language_string($gallery->getDesc(), $locale)), $feed_date);
..
46: $MergedRSS->export(false, true, 20);
..
98: public function export($return_as_string = true, $output = false, $limit =
null) {
..
140: $xml .= "\t<atom:link
href=\"http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']."\";; rel=\"self\" 
type=\"application/rss+xml\" />\n";
..
165: if ($output) { echo $xml; }

The variable '$_SERVER['PHP_SELF']' is considered a tainted input and can be
manipulated in order to insert valid HTML 
code.

B) Sql Injection in wordpress_import.php [Impact: 1/5]

This vulnerability has various precondition that need to be satisfy in order to
be exploited. Admin rights are 
necessary, also
the user must specify a valid hostname, username and password database
connection (can be obtained via password 
guessing). Due 
to this precondition the impact was lowerd to Very Low. 

Follow a trace to reach the vulnerable code.

File: zp-core\zp-extensions\wordpress_import.php
76: if(isset($_REQUEST['dbname']) || isset($_REQUEST['dbuser']) ||
isset($_REQUEST['dbpass']) || 
isset($_REQUEST['dbhost'])) {
..
82: $wp_prefix = sanitize($_REQUEST['tableprefix']);
..
120: if(!isset($_GET['refresh'])) {
121: $cats = wp_query_full_array("SELECT * FROM
".wp_prefix('terms',$wp_prefix)." as terms, 
".wp_prefix('term_taxonomy',$wp_prefix)." as tax WHERE tax.taxonomy = 'category'
AND terms.term_id = 
tax.term_id",$wpdbconnection);
..
55: function wp_query_full_array($sql,$wpconnection) {
56:             $result = mysql_query($sql,$wpconnection) or die(gettext("Query
failed : ") . mysql_error());

where 'wp_prefix' is:

67: function wp_prefix($tablename,$wp_prefix) {
68:     return '`'.$wp_prefix.$tablename.'`';
69: }

the function 'sanitize' is:

File: zp-core\functions-common.php
145: function sanitize($input_string, $sanitize_level=3) {
..
152: $output_string = sanitize_string($input_string, $sanitize_level);
..
177: function sanitize_string($input, $sanitize_level) {
..
192: case 3:
..
194: return strip_tags($input);

'strip_tags' doesn't validate against SQL Injection vulnerabilities. 
In order to exploit this vulnerability the user must be logged as admin, this
precondition severely limits the impact.
"""

References:

http://www.enkomio.com/Advisory/SOJOBO-ADV-13-01

http://seclists.org/bugtraq/2013/Oct/20

http://seclists.org/oss-sec/2013/q4/561

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Zenphoto 1.4.5.4 SQL Injection

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.