PhotoPost vBGallery is a popular commercial Image Gallery Add-on für
vBulletin which is being developed by All Enthusiasts, Inc.
http://www.photopost.com
PhotoPost vBGallery 2.5 allows the user to modify gallery settings for
his profile page if the function is enabeld and the user has permission
to do so.
For this function to work, PhotoPost vBGallery adds a Plug-in to hook
profile_start.
The PHP code on this plug-in is being used to display a form which does
allow the user to customize the settings and save the settings into the
database.
The SQL constructed for action updatevbgallery does contain variables
that are not properly sanitized:
The POST variables profile_include and profile_exclude are treated as
HTML-Safe strings ad unses with the SQL directly althou only
commaseparated integers are valid.
POST variable profile_showimg is also processed as a HTML-safe string
altouth only integer values are valid.
POST variable profile_column is also processed as a HTML-safe string but
not being made SQL-safe.
POST variable array profile_imagebitdisplay is being stored without
being made SQL-safe
Affected Version(s): 2.5
Not affected Versions: Versions prior to 2.5
This exploit shows how the get the password hash and salt of an
administrator account.
Preconditions
Invalid SQL:
SELECT imageid, images.title, images.description, filename,
thumbname, originalname, extension, images.catid ,images.userid,
images.username, images.description, images.dateline, images.views,
posts ,width, height, originalwidth, originalheight ,filesize,
originalfilesize, images.lastpostdateline, images.lastpostuserid,
images.lastpostusername, votenum, votetotal, categories.title AS cattitle
FROM ppgal_images AS images
LEFT JOIN ppgal_categories AS categories USING (catid)
WHERE valid = 1 AND images.userid = 5
The string after "AND images.catid NOT IN (" is the password hash and
salt of user ID 1 separated by |||
Properly sanitize user input and run strings trough $db->escape_string()
before saving them into the database
All Enthusiasts, Inc. was informed about this vulnerbilitie on
2010/03/17 but has not yet released a patch.