Exploit in VB Gallery 2.5.1

Andy R · February 2nd, 2012, 02:19 PM

For some reason I cannot post in the vbgallery support forums so here is the only place I could put it..

There is an exploit in photopost VBGallery 2.5.1 in the email to friend feature. A malicious user can use it to send spam because none of the fields are sanitized properly in misc.php:

Code:

Content visible to verified customers only.

The sendtoname and subject fields need to be sanitized beyond just HTML, carriage returns, etc..

A guest on our site pumped out massive amounts of spam with this. Fortunately for us, we log all email sent by the mail() function and log message headers and exact time. With that we were able to trace it back in the apache logs to the user using this feature.

We have disabled it on our sites, but it is still vulnerable in the current download.

Andy R · February 2nd, 2012, 02:33 PM

Hmm, I don't really have time to trace everything back in the code, but I think even if you disable this in the CP, it is still there if a bot posts to it.. It LOOKS like the only thing the perm change does is not to display the form...

Chuck S · February 2nd, 2012, 03:43 PM

HMM well no idea why you say it is not sanitized looks fine to me as it is indeed ran through the vbulletin sanitizer function.

You can try changing TYPE_NOHTML to TYPE_STR but I really can not say whether it would make any difference as you really have not provided any direct examples as to the specific problem your having.

Andy R · February 2nd, 2012, 04:45 PM

TYPE_NOHTML or TYPE_STR does not remove carriage returns or other characters that can be used to change the mail headers... It is open to email injection attacks...

More:

http://www.damonkohler.com/2008/12/email-injection.html

Chuck S · February 2nd, 2012, 05:09 PM

I hear what your saying I just do not see in vbulletin what option they use for that is what I am saying. Obviously we are using the common normal vb santitation routines in vb which is what vbgallery does.

I checked vbulletin sendmessage.php script and this is what they do

Code:

Content visible to verified customers only.

Therefore from what I see using TYPE_STR would be the same as vbulletin forum is using to sanitize email message or sender email.

Andy R · February 2nd, 2012, 05:18 PM

Vbulletin doesn't allow the user to create the TO user.. Yours does..

**Edited, changed FROM to TO

Andy R · February 2nd, 2012, 05:26 PM

Try to use sendtofriend vb feature and put something like this in the to line:

joe@schmoe.com, bob@bill.com, etc@etc.com.. Doesn't work does it?

This is why:

Code:

Content visible to verified customers only.

Chuck S · February 2nd, 2012, 05:40 PM

Actually a little different as you would need to use vbGallery variables should look like this in misc.php

Code:

Content visible to verified customers only.

Andy R · February 2nd, 2012, 07:11 PM

Not sure, all I see is "Content visible to verified customers only." I guess I am not verified anymore lol..

Chuck S · February 2nd, 2012, 08:10 PM

PhotoPost Community - Announcements in Forum : General Discussion

That should explain how to get access to support.

oldengine · February 12th, 2012, 12:45 AM

Please lend a hand to place the above code exactly into misc.php

Code:

Content visible to verified customers only.

Chuck S · February 12th, 2012, 08:30 AM

You are replacing that if clause with the one I have in bold in my example it is around line 245 of misc.php

oldengine · February 12th, 2012, 11:33 AM

The script still sent out the email.

I have now commented out...

Do Send to Friend

and

Email Friend

I will wait for the next upgrade.

=============

NOT logged in

Code:

Content visible to verified customers only.

where i=16 is any valid image number

Chuck S · February 12th, 2012, 12:12 PM

imageid is simply the image id

The email to friend link is going to appear to any group you have given permission to use the feature. As long as they enter a valid email and enter a valid message sure any message would be sent out.

oldengine · February 12th, 2012, 12:46 PM

I'm referring to users not logged in. This is the way the exploit was used.

Nothing to do with permissions.

Chuck S · February 12th, 2012, 01:06 PM

If you are allowing a usergroup to use the send to friend link they would indeed be allowed to send an email is what I am saying.

I would bet on your setup the send to friend link appears for all right?

oldengine · February 12th, 2012, 01:16 PM

No, the drop down link was not there.

This spam outfit obviously knew about the exploit. They were NOT logged in, nor had they ever registered.

They simply used the same URL each time:

Code:

Content visible to verified customers only.

Which worked for them to send hundreds of spam emails while NOT logged in until I commented out code in misc.php. Now they'll get a white screen.

The other thing about this exploit was that HUNDREDS of email addresses could be placed in the To: line.

inetnum: 124.107.69.88 - 124.107.69.88
netname: SLITES
country: PH
descr: 322367987_Edago Dexter Cyberzone Co.

Chuck S · February 12th, 2012, 01:23 PM

I will pass it along but the way it is designed from what I see is the actual permissions are applied before the link appears so maybe applying those same permissions to that part will stop things. I would have to see

Chuck S · February 15th, 2012, 08:01 AM

You can try this as what this should do only send an email if you give the usergroup permission to use the feature.

Other than that there is no way to stop from using a feature you permit users to use.

You can compare the function here to the one in your misc.php file to see what I did.

Code:

Content visible to verified customers only.