Home / os / winmobile

PhotoPost PHP 4.8c Cross Site Scripting

Posted on 04 August 2015

PhotoPost PHP 4.8c Cookie Based Stored XSS (Cross-site Scripting) Web Application 0-Day Bug Exploit Title: PhotoPost PHP __utmz Cookie Stored XSS Web Security Vulnerability Product: PhotoPost PHP Vendor: PhotoPost Vulnerable Versions: 4.8c 4.8.6 4.8.5 4.8.2 3.1.1 vB3 Tested Version: 4.8c vB3 Advisory Publication: July 25, 2015 Latest Update: July 28, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing) *Caution Details:* *(1) Vendor & Product Description:* *Vendor:* PhotoPost *Product & Vulnerable Versions:* PhotoPost PHP 4.8c 4.8.6 4.8.5 4.8.2 3.1.1 vB3 *Vendor URL & Download:* Product can be obtained from here, http://www.photopost.com/featuresphp.html *Product Introduction Overview:* "Your search to find the best photo gallery has led you to the most feature rich, best performing, and most widely used gallery available today. PhotoPost is the best way to offer your users the ability to upload, show off, share, discuss, and rate photos and videos on your site. We originally created PhotoPost in 2001 for TechIMO.com, our parent company's own tech discussion website with 2 Million forum posts and 200,000 users, and within weeks we were inundated with requests, so we decided to develop it into a product. Over the past 8 years, PhotoPost has undergone more than 100 "dot" updates by a team of expert developers to add features, tweak performance, and maximize stability. Always in high demand, PhotoPost has been purchased by a staggering 14,500 websites. PhotoPost is most popular amongst vBulletin forum owners. That's because we designed PhotoPost from the beginning to integrate efficiently with a website's existing vBulletin forum, offering users one integrated login and registration instead of two, stylesheet integration, and other enhancements. But what PhotoPost does well for vBulletin owners, it does equally well for those that wish to integrate a gallery with many other forum types, or to simply add a photo gallery to their website with no forum at all. " *(2) Vulnerability Details:* PhotoPost PHP web application has a computer security problem. Hackers can exploit it by XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. PhotoPost PHP has patched some of them. CXSECurity is a huge collection of information on data communications safety. Its main objective is to inform about errors in various applications. It also publishes suggestions, advisories, solutions details related to XSS vulnerabilities and cyber intelligence recommendations. *(2.1) *The code flaw occurs at "|utmcct" parameter in "__utmz" cookie. For example, if a victim clicks the link below. http://localhost/gallery/showphoto.php/photo/846/sort/ '"><marquee><h1>test</h1></marquee><svg/onload=prompt(/tetraph/)> The content of "__utmz" cookie will be the following: __utma 194200300.1295483682.1438243020.1438243020.1438245659.2 __utmc 194200300 __utmz 194200300.1438243020.1.1.utmccn=(referral)|utmcsr=mgs-on-track.com |utmcct=/gallery/showphoto.php/photo/846/sort/1%27%22%3E%3Cimg%20src=x%20onerror=alert%28%27tetraph%27%29%3E%3Cmarquee%3E%3Ch1%3Etest%3C/h1%3E%3C/marquee%3E|utmcmd=referral __qca P0-814178849-1438243024810 __utmb 194200300 bbsessionhash 1683dd3bd3edffbd8383db382f025eba bblastvisit 1438246612 So the malicious code can work in the user's browser for long time. *(2.2) Forum Integrations* "PhotoPost can optionally integrate as an add-on to an existing forum on your site, and we do this extremely well. PhotoPost is a perfect fit with a forum, because sharing and discussing photos within PhotoPost comes naturally for a forum community. With our forum integration, your users will use their existing forum account to login to PhotoPost, without needing to register again and maintain a separate account. Additionally, we offer stylesheet integrations with several forums to easily setup your PhotoPost gallery to match your forum's look and feel, and with vBulletin 3.x we offer several additional enhancements." Forum Software User Login Stylesheets Enhanced* vBulletin 5.x vBulletin 4.x vBulletin 3.x Xenforo 1.x UBBThreads 6.X UBBThreads 7.X InvisionBoard 1.0 InvisionBoard 2.0 InvisionBoard 3.0 FusionBB MyBB 1.0 SMF 1.05 and up SMF 2.0 and up WowBB e107 PHPBB 2.0 PHPBB 3.0 Wordpress 3.x vBulletin 2.x DCForums + IkonBoard Nuke PostNuke Mambo XMB Forums (Src: http://www.photopost.com/sites_frame.pl?http://www.photopost.com/photopost/adm-index.php ) *References:* http://tetraph.com/security/xss-vulnerability/photopost-php/ http://securityrelated.blogspot.com/2015/07/photopost-php-48c-cookie-based-stored.html https://progressive-comp.com/?l=full-disclosure&m=142649827629327&w=1 https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01901.html https://vulnerabilitypost.wordpress.com/2015/07/27/photopost-php/ http://tetraph.blog.163.com/blog/static/234603051201563055350773/ http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1817 http://www.inzeed.com/kaleidoscope/xss-vulnerability/rakuten-website-xss/ http://seclists.org/fulldisclosure/2015/Mar/56 http://lists.openwall.net/full-disclosure/2015/03/07/4 -- Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing

 

TOP