PhotoPost Photo Gallery Sales PhotoPost Sales Toll Free Phone Number
Mon-Fri 9am-4pm EST
  PhotoPost Photo Sharing Photo Gallery    Visualize community tm
| | | | | | | | |

Go Back   PhotoPost Community > General Forums > Before You Buy

Before You Buy Have questions about PhotoPost, ReviewPost and/or PhotoPost Classifieds before you buy?

Reply
 
Thread Tools Rate Thread Display Modes
Old August 26th, 2004, 04:52 PM   #1
sorcre
Registered User
 
Join Date: Aug 2004
Posts: 1
Is PhptoPost Php safe?

I was searching around to check if it was safe and ran across this:

Description:

PhotoPost was designed to help you give your users exactly what they

want. Your users will be thrilled to finally be able to upload and

display their photos for your entire community to view and discuss,

all with no more effort than it takes to post a text message to a

forum. If you already have a forum (vBulletin, UBB Threads, phpBB,

DCForum, or InvisionBoard), you'll appreciate that PhotoPost was

designed to seamlessly integrate into your site without the need for

your users to register twice and maintain two logins.







SQL Injection Vulnerability:

There are a large number of possibilities for SQL Injection in Photo

Post. The most important thing to remember here is that this app ties

directly into the affected website's forum system. So the aim of any

smart attacker would be to try and use the vulnerabilities in this app

to gain control of a forum by grabbing member password hashes. Below

are example url's.



addfav.php?photo=[SQL]

comments.php?photo=[SQL]

comments.php?photo=1&cedit=[SQL]

index.php?cat=[SQL]

showgallery.php?ppuser=[SQL]

showgallery.php?cat=[SQL]

uploadphoto.php?cat=[SQL]

useralbums.php?ppaction=delalbum&albumid=[SQL]

useralbums.php?ppaction=editalbum&albumid=[SQL]



I have not released any POC exploit for these issues, because like I said

before the real danger in these holes is the fact they can be used to act

against an installed forum system or other info in the database, and this

varies GREATLY on each Photo Post installation depending on what forum is

installed, and the table prefix's etc etc. A google search returned over

a half of a million websites running Photo Post, so you can imagine the

number of possibilities of the environment varying.







Script Injection:

A malicious user can inject script and html into several fields in Photo

Post. The dangers of this is it allows an attacker to run arbitrary code

in the context of the browser on any user that visits their album. Also,

it can be used to run admin commands and the like by injecting script or

html into a photo description that is awaiting approval by an admin. When

the admin views the photo to be approved the code is then executed. Some

examples of where this can take place is in photo names, photo descriptions,

album names, and album descriptions







Cross Site Scripting:

There are a number of Cross Site Scripting issues present in Photo Post.

And as previously mentioned the danger of it being used against the forum

which it resides are also a very real threat. Below are a list of the XSS

issues in showmembers.php, but it is also worth noting that any of the SQL

Injection vulns previously mentioned can also be used for XSS if Injection

cannot be successfully used.



showmembers.php?cat=1&si=&page=7&sort=7&perpage=12&ppuser=10[XSS]

showmembers.php?cat=1&si=&page=7&sort=7&perpage=12&password=[XSS]

showmembers.php?cat=1&si=&page=7&sort=7&perpage=12&stype=1[XSS]

showmembers.php?cat=1&si=&page=7&sort=7&perpage=1[XSS]

showmembers.php?cat=1&si=&page=7&sort=1[XSS]

showmembers.php?cat=1&si=&page=1[XSS]

showmembers.php?cat=1&si=1[XSS]

showmembers.php?cat=1[XSS]



Any of these XSS issues can be used to possibly steal cookies from the forum

which Photo Post resides, run code in a users browser and more.







Denial of Service:

PhotoPost is prone to a denial of service attack that can allow an attacker

to send a user (logged in or not) a malicious link that will result in the

user not being able to gain normal access to the PhotoPost installation until

they clear their cookies.



showmembers.php?perpage="><script>var%20i=1;%20while(i){alert(i);};</script>



This is possible because the "perpage" variable resides in the users cookie.

Like I said before a user does not have to be logged in for this to happen.







Solution:

The vendor was contacted. Most of these issues do not seem to be present in

4.7 though. Original advisory @ http://www.gulftech.org/03282004.php







Notice:

These vulnerabilities are different than the one posted by goodb0y of Zone-H as

seen here.



http://www.zone-h.org/en/advisories/read/id=3844/

http://www.securityfocus.com/archive/1/352372



It is important for the users of this program to know that in order to be safe.



Have these vulnerabilities been fixed?
sorcre is offline   Reply With Quote
Old August 26th, 2004, 05:08 PM   #2
Chuck S
Photopost Developer
Verified Customer
 
Chuck S's Avatar
 
Join Date: Jun 2002
Location: Abingdon,MD
Posts: 75,115
To my knowledge yes and that old thread you read states so in 4.7

We are on 4.8.2
__________________
Photopost Developer and Support Engineer

Please do not PM me for support or sales questions. Thank you for your understanding.
Chuck S is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
(Safe Mode MUST be turned OFF!) Frankenberrie Before You Buy 1 February 14th, 2005 01:30 PM
Safe Mode Question WB General Discussion 5 February 8th, 2005 01:58 PM
Safe Mode Michael Blake Before You Buy 2 September 20th, 2004 05:26 AM


All times are GMT -5. The time now is 01:53 PM.

Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.