Abysssec Research
1) Advisory information
Title : Zenphoto config update and command execute Vulnerability
Affected : Zenphoto <= 1.3
Discovery :
Impact : Critical
Contact : shahin [at] abysssec.com , info [at] abysssec.com
Twitter : @abysssec
2) Vulnerability Information
Class
1- Remote Config Update
2- Remote Command Execute
Exploiting this issue could allow an attacker to compromise the application, access
or modify data, or exploit latent vulnerabilities in the underlying
application/server.
Remotely Exploitable
Yes
Locally Exploitable
No
3) Vulnerabilities detail
1- Remote Config Update:
----------
Line 25 :
---------
Setup Config file CONFIGFILE :
define('CONFIGFILE',dirname(dirname(__FILE__)).'/'.DATA_FOLDER.'/zp-config.php');
Setup.php is looks secure in first view and if zp-Config.php be available, MySQL can connect to server,
setup.php will read administrator Table from MySQL database & question User/Pass from you.
-----------
line 128 :
----------
Update Config File with poor Security check :
if (isset($_POST['mysql'])) { //try to update the zp-config file
setupLog(gettext("MySQL POST handling"));
$updatezp_config = true;
if (isset($_POST['mysql_user'])) {
updateItem('mysql_user', $_POST['mysql_user']);
}
if (isset($_POST['mysql_pass'])) {
updateItem('mysql_pass', $_POST['mysql_pass']);
}
if (isset($_POST['mysql_host'])) {
updateItem('mysql_host', $_POST['mysql_host']);
}
if (isset($_POST['mysql_database'])) {
updateItem('mysql_database', $_POST['mysql_database']);
}
if (isset($_POST['mysql_prefix'])) {
updateItem('mysql_prefix', $_POST['mysql_prefix']);
}
}
And then write Config file without check:
if ($updatezp_config) {
@chmod(CONFIGFILE, 0666 & $chmod);
if (is_writeable(CONFIGFILE)) {
if ($handle = fopen(CONFIGFILE, 'w')) {
if (fwrite($handle, $zp_cfg)) {
setupLog(gettext("Updated zp-config.php"));
$base = true;
}
}
fclose($handle);
}
}
After changing admin password you can Edit themes from themes Tab and Upload your malignant PHP
file and execute your own commands.
Wyszukiwarka
Podobne podstrony:
Adobe Acrobat and Reader newfunction Remote Code Execution Vulnerability
Lab 9, 3.2.2.5 Lab - Configuring VLANs and Trunking
Configuring Discovery and Boundaries in Configuration Manager 2012 R2
Mozilla Firefox CSS font face Remote Code Execution Vulnerability
Apple QuickTime FlashPix NumberOfTiles Remote Code Execution Vulnerability
Roger Zelazny Death and the Execut
Red Hat Storage 2 0 2 0 Update 4 and Update 5 Release Notes en US
Roger Zelazny Death and the Execut
Apple QuickTime FLI LinePacket Remote Code Execution Vulnerability
Microsoft Excel HFPicture Record Parsing Remote Code Execution Vulnerability
BMW Configurazione car and key memory
I am working as a Sales and Marketing Executive in the big pharmaceutics company
Programmers as Malicious Insiders Updated and Revised 2013 019 001 72828
Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability
1 ANSYS Command File Creation and Execution
Conformations and Configuration
5 4 5 Lab Create Accounts and Update
więcej podobnych podstron