Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PhotoPost PHP 4.8c Cross Site Scripting

🗓️ 31 Jul 2015 00:00:00Reported by Jing WangType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 66 Views

PhotoPost PHP 4.8c Cookie Based Stored Cross Site Scripting Web Vulnerabilit

Code
`PhotoPost PHP 4.8c Cookie Based Stored XSS (Cross-site Scripting) Web  
Application 0-Day Bug  
  
  
  
Exploit Title: PhotoPost PHP __utmz Cookie Stored XSS Web Security  
Vulnerability  
Product: PhotoPost PHP  
Vendor: PhotoPost  
Vulnerable Versions: 4.8c 4.8.6 4.8.5 4.8.2 3.1.1 vB3  
Tested Version: 4.8c vB3  
Advisory Publication: July 25, 2015  
Latest Update: July 28, 2015  
Vulnerability Type: Cross-Site Scripting [CWE-79]  
CVE Reference:  
Impact CVSS Severity (version 2.0):  
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)  
Impact Subscore: 2.9  
Exploitability Subscore: 8.6  
Discover and Reporter: Wang Jing [School of Physical and Mathematical  
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]  
(@justqdjing)  
  
  
  
  
  
  
*Caution Details:*  
  
  
*(1) Vendor & Product Description:*  
  
  
*Vendor:*  
PhotoPost  
  
  
  
*Product & Vulnerable Versions:*  
PhotoPost PHP  
4.8c 4.8.6 4.8.5 4.8.2 3.1.1 vB3  
  
  
  
*Vendor URL & Download:*  
Product can be obtained from here,  
http://www.photopost.com/featuresphp.html  
  
  
  
  
*Product Introduction Overview:*  
"Your search to find the best photo gallery has led you to the most feature  
rich, best performing, and most widely used gallery available today.  
PhotoPost is the best way to offer your users the ability to upload, show  
off, share, discuss, and rate photos and videos on your site. We originally  
created PhotoPost in 2001 for TechIMO.com, our parent company's own tech  
discussion website with 2 Million forum posts and 200,000 users, and within  
weeks we were inundated with requests, so we decided to develop it into a  
product. Over the past 8 years, PhotoPost has undergone more than 100 "dot"  
updates by a team of expert developers to add features, tweak performance,  
and maximize stability. Always in high demand, PhotoPost has been purchased  
by a staggering 14,500 websites. PhotoPost is most popular amongst  
vBulletin forum owners. That's because we designed PhotoPost from the  
beginning to integrate efficiently with a website's existing vBulletin  
forum, offering users one integrated login and registration instead of two,  
stylesheet integration, and other enhancements. But what PhotoPost does  
well for vBulletin owners, it does equally well for those that wish to  
integrate a gallery with many other forum types, or to simply add a photo  
gallery to their website with no forum at all. "  
  
  
  
  
  
  
  
  
  
  
*(2) Vulnerability Details:*  
PhotoPost PHP web application has a computer security problem. Hackers can  
exploit it by XSS cyber attacks. This may allow a remote attacker to create  
a specially crafted request that would execute arbitrary script code in a  
user's browser session within the trust relationship between their browser  
and the server.  
  
Several other similar products 0-day vulnerabilities have been found by  
some other bug hunter researchers before. PhotoPost PHP has patched some of  
them. CXSECurity is a huge collection of information on data communications  
safety. Its main objective is to inform about errors in various  
applications. It also publishes suggestions, advisories, solutions details  
related to XSS vulnerabilities and cyber intelligence recommendations.  
  
  
  
*(2.1) *The code flaw occurs at "|utmcct" parameter in "__utmz" cookie.  
  
  
For example, if a victim clicks the link below.  
http://localhost/gallery/showphoto.php/photo/846/sort/  
'"><marquee><h1>test</h1></marquee><svg/onload=prompt(/tetraph/)>  
  
  
The content of "__utmz" cookie will be the following:  
__utma 194200300.1295483682.1438243020.1438243020.1438245659.2  
__utmc 194200300  
__utmz 194200300.1438243020.1.1.utmccn=(referral)|utmcsr=mgs-on-track.com  
|utmcct=/gallery/showphoto.php/photo/846/sort/1%27%22%3E%3Cimg%20src=x%20onerror=alert%28%27tetraph%27%29%3E%3Cmarquee%3E%3Ch1%3Etest%3C/h1%3E%3C/marquee%3E|utmcmd=referral  
__qca P0-814178849-1438243024810  
__utmb 194200300  
bbsessionhash 1683dd3bd3edffbd8383db382f025eba  
bblastvisit 1438246612  
  
  
So the malicious code can work in the user's browser for long time.  
  
  
  
  
  
*(2.2) Forum Integrations*  
"PhotoPost can optionally integrate as an add-on to an existing forum on  
your site, and we do this extremely well. PhotoPost is a perfect fit with a  
forum, because sharing and discussing photos within PhotoPost comes  
naturally for a forum community.  
  
With our forum integration, your users will use their existing forum  
account to login to PhotoPost, without needing to register again and  
maintain a separate account. Additionally, we offer stylesheet integrations  
with several forums to easily setup your PhotoPost gallery to match your  
forum's look and feel, and with vBulletin 3.x we offer several additional  
enhancements."  
  
Forum Software User Login Stylesheets Enhanced*  
vBulletin 5.x  
vBulletin 4.x  
vBulletin 3.x  
Xenforo 1.x  
UBBThreads 6.X  
UBBThreads 7.X  
InvisionBoard 1.0  
InvisionBoard 2.0  
InvisionBoard 3.0  
FusionBB  
MyBB 1.0  
SMF 1.05 and up  
SMF 2.0 and up  
WowBB  
e107  
PHPBB 2.0  
PHPBB 3.0  
Wordpress 3.x  
vBulletin 2.x  
DCForums +  
IkonBoard  
Nuke  
PostNuke  
Mambo  
XMB Forums  
  
(Src:  
http://www.photopost.com/sites_frame.pl?http://www.photopost.com/photopost/adm-index.php  
)  
  
  
  
  
  
  
  
  
  
*References:*  
http://tetraph.com/security/xss-vulnerability/photopost-php/  
http://securityrelated.blogspot.com/2015/07/photopost-php-48c-cookie-based-stored.html  
https://progressive-comp.com/?l=full-disclosure&m=142649827629327&w=1  
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01901.html  
https://vulnerabilitypost.wordpress.com/2015/07/27/photopost-php/  
http://tetraph.blog.163.com/blog/static/234603051201563055350773/  
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1817  
http://www.inzeed.com/kaleidoscope/xss-vulnerability/rakuten-website-xss/  
http://seclists.org/fulldisclosure/2015/Mar/56  
http://lists.openwall.net/full-disclosure/2015/03/07/4  
  
  
  
  
  
  
  
--  
Jing Wang,  
Division of Mathematical Sciences (MAS),  
School of Physical and Mathematical Sciences (SPMS),  
Nanyang Technological University (NTU),  
Singapore.  
http://www.tetraph.com/wangjing/  
https://twitter.com/justqdjing  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Jul 2015 00:00Current
photopostphpcross site scriptingcookiestored xssvulnerabilitysecurity0-daybugweb applicationexploitvendorproductversionsadvisorypublicationcveimpactcvssseverityscoresubscorereporterdetailsflawparameterexploitabilitysolutions
66