PhotoPost Pro adm-photo.php Arbitrary Image Manipulation
2005-03-11T05:40:19
ID OSVDB:14681 Type osvdb Reporter Igor Franchuk(sprog@online.ru) Modified 2005-03-11T05:40:19
Description
Vulnerability Description
PhotoPost Pro contains a flaw that may allow a remote attacker to manipulate arbitrary images. The problem is that the 'adm-photo.php' script does not check for administrative privileges before allowing the manipulation of photos, resulting in a loss of integrity.
Solution Description
Upgrade to version 5.01 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Short Description
PhotoPost Pro contains a flaw that may allow a remote attacker to manipulate arbitrary images. The problem is that the 'adm-photo.php' script does not check for administrative privileges before allowing the manipulation of photos, resulting in a loss of integrity.
{"type": "osvdb", "published": "2005-03-11T05:40:19", "href": "https://vulners.com/osvdb/OSVDB:14681", "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/", "score": 5.0}, "viewCount": 6, "edition": 1, "reporter": "Igor Franchuk(sprog@online.ru)", "title": "PhotoPost Pro adm-photo.php Arbitrary Image Manipulation", "affectedSoftware": [{"operator": "eq", "version": "5.0 RC3", "name": "PhotoPost PHP Pro"}], "enchantments": {"score": {"value": 6.7, "vector": "NONE", "modified": "2017-04-28T13:20:10", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-0776"]}, {"type": "exploitdb", "idList": ["EDB-ID:25208"]}, {"type": "nessus", "idList": ["PHOTOPOST_MULTIPLE_VULNS.NASL"]}], "modified": "2017-04-28T13:20:10", "rev": 2}, "vulnersScore": 6.7}, "references": [], "id": "OSVDB:14681", "lastseen": "2017-04-28T13:20:10", "cvelist": ["CVE-2005-0776"], "modified": "2005-03-11T05:40:19", "description": "## Vulnerability Description\nPhotoPost Pro contains a flaw that may allow a remote attacker to manipulate arbitrary images. The problem is that the 'adm-photo.php' script does not check for administrative privileges before allowing the manipulation of photos, resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 5.01 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPhotoPost Pro contains a flaw that may allow a remote attacker to manipulate arbitrary images. The problem is that the 'adm-photo.php' script does not check for administrative privileges before allowing the manipulation of photos, resulting in a loss of integrity.\n## Manual Testing Notes\nhttp://[victim]/photopost/adm-photo.php?ppaction=manipulate&pid=1&dowhat=rebuildthumb&dowhat=rotateccw\n## References:\nVendor URL: http://www.photopost.com/\n[Secunia Advisory ID:14576](https://secuniaresearch.flexerasoftware.com/advisories/14576/)\n[Related OSVDB ID: 14679](https://vulners.com/osvdb/OSVDB:14679)\n[Related OSVDB ID: 14680](https://vulners.com/osvdb/OSVDB:14680)\n[Related OSVDB ID: 14682](https://vulners.com/osvdb/OSVDB:14682)\n[Related OSVDB ID: 14683](https://vulners.com/osvdb/OSVDB:14683)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-03/0200.html\nISS X-Force ID: 19677\n[CVE-2005-0776](https://vulners.com/cve/CVE-2005-0776)\nBugtraq ID: 12779\n"}
{"cve": [{"lastseen": "2021-02-02T05:24:35", "description": "adm-photo.php in PhotoPost PHP 5.0 RC3 does not properly verify administrative privileges before manipulating photos, which could allow remote attackers to manipulate other users' photos.", "edition": 4, "cvss3": {}, "published": "2005-05-02T04:00:00", "title": "CVE-2005-0776", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-0776"], "modified": "2017-07-11T01:32:00", "cpe": ["cpe:/a:photopost:photopost_php_pro:5.0_rc3"], "id": "CVE-2005-0776", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0776", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:photopost:photopost_php_pro:5.0_rc3:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-03T00:52:41", "description": "All Enthusiast PhotoPost PHP Pro 5.0 adm-photo.php Arbitrary Image Manipulation. CVE-2005-0776 . Webapps exploit for php platform", "published": "2005-03-10T00:00:00", "type": "exploitdb", "title": "All Enthusiast PhotoPost PHP Pro 5.0 adm-photo.php Arbitrary Image Manipulation", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0776"], "modified": "2005-03-10T00:00:00", "id": "EDB-ID:25208", "href": "https://www.exploit-db.com/exploits/25208/", "sourceData": "source: http://www.securityfocus.com/bid/12779/info\r\n\r\nPhotoPost PHP Pro is a web-based image gallery application written in PHP. It can be implemented on any platform that supports PHP script execution.\r\n\r\nMultiple remote vulnerabilities affect All Enthusiast PhotoPost PHP Pro. These issues are due to a failure of the application to validate access rights and user-supplied input.\r\n\r\nThe first issue is an access validation issue that may allow attackers to manipulate images uploaded by arbitrary users. The second issue is a cross-site scripting vulnerability.\r\n\r\nAn attacker may leverage these issues to execute script code in an unsuspecting user's browser and to bypass authentication to execute certain application commands.\r\n\r\nhttp://www.example.com/photopost/adm-photo.php?ppaction=manipulate&pid=[IMAGE ID]&dowhat=rebuildthumb&dowhat=rotateccw ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/25208/"}], "nessus": [{"lastseen": "2021-01-20T13:25:43", "description": "According to its banner, the version of PhotoPost PHP installed on the\nremote host has several vulnerabilities:\n\n - An Access Validation Vulnerability.\n The 'adm-photo.php' script fails to verify authentication\n credentials, which allows an attacker to change the \n properties of thumbnails of uploaded images.\n\n - A SQL Injection Vulnerability.\n The 'uid' parameter in the 'member.php' script is not \n properly sanitized before use in SQL queries. An\n attacker can leverage this flaw to disclose or modify\n sensitive information or perhaps even launch attacks\n against the underlying database implementation.\n\n - A Cross-site Scripting (XSS) Vulnerability.\n The 'editbio' parameter of the user profile form is not sanitized\n properly, allowing an attacker to inject arbitrary script or\n HTML in a user's browser in the context of the affected website, \n resulting in theft of authentication data or other such attacks.", "edition": 27, "published": "2005-03-11T00:00:00", "title": "PhotoPost PHP < 5.0.1 Multiple Remote Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-0776", "CVE-2005-1629", "CVE-2005-0775", "CVE-2005-0778", "CVE-2005-0774", "CVE-2005-0777"], "modified": "2005-03-11T00:00:00", "cpe": ["cpe:/a:photopost:photopost_php_pro", "cpe:/a:photopost:photopost_php"], "id": "PHOTOPOST_MULTIPLE_VULNS.NASL", "href": "https://www.tenable.com/plugins/nessus/17314", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(17314);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2005-0774\", \"CVE-2005-0775\", \"CVE-2005-0776\", \"CVE-2005-0777\", \"CVE-2005-0778\", \"CVE-2005-1629\");\n script_bugtraq_id(12779, 13620);\n\n script_name(english:\"PhotoPost PHP < 5.0.1 Multiple Remote Vulnerabilities\");\n script_summary(english:\"Checks for multiple remote vulnerabilities in PhotoPost PHP 5.0 RC3 and older\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nseveral vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of PhotoPost PHP installed on the\nremote host has several vulnerabilities:\n\n - An Access Validation Vulnerability.\n The 'adm-photo.php' script fails to verify authentication\n credentials, which allows an attacker to change the \n properties of thumbnails of uploaded images.\n\n - A SQL Injection Vulnerability.\n The 'uid' parameter in the 'member.php' script is not \n properly sanitized before use in SQL queries. An\n attacker can leverage this flaw to disclose or modify\n sensitive information or perhaps even launch attacks\n against the underlying database implementation.\n\n - A Cross-site Scripting (XSS) Vulnerability.\n The 'editbio' parameter of the user profile form is not sanitized\n properly, allowing an attacker to inject arbitrary script or\n HTML in a user's browser in the context of the affected website, \n resulting in theft of authentication data or other such attacks.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2005/Mar/213\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2005/May/311\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PhotoPost PHP version 5.01 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/03/11\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/03/11\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:photopost:photopost_php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:photopost:photopost_php_pro\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"photopost_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/photopost\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/photopost\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n\n if (ver =~ \"^[0-4].*|5\\.0[^0-9]?|5\\.0rc[123]$\")\n {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
