Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 18 Jul 2015 11:41:15 -0400 (EDT)
Subject: Re: CVE request: Zenphoto before 1.4.9 multiple vulnerabilities

Hash: SHA1

> Can I get CVEs for vulnerabilities fixed in Zenphoto 1.4.9 ...
> says "Fixes several SQL Injection,
> XSS and path traversal


For purposes of CVE assignments, one important part of this blog post

  In practice, it doesn't matter, because an attacker can just edit a
  legitimate PHP theme file and inject <?php passthru($_GET['c']) ?>

In other words, it appears that the design of Zenphoto intentionally
gives the admin an ability to execute arbitrary code on the server.
This ability apparently also extends to users with the THEMES_RIGHTS
right. The researcher suggests:

  It is still a good idea to fix this, as users might disable the
  file edit functionality themselves to increase security.

We couldn't immediately find documentation suggesting that there is a
supported way to use the product without letting an admin execute
arbitrary code (e.g., by deleting/changing admin-themes-editor.php or
possibly other files). In general, the scope of CVE doesn't include
questionable behaviors that have security relevance only if a user
modifies a product.

Now, to consider the individual issues:

> There are multiple second order error based SQL injections into the
> ORDER BY keyword in the admin area.

This seems to allow exploitation by users who have only the
OPTIONS_RIGHTS right. Use CVE-2015-5591.

> XSS 1
> sanitize_string, which does not adequately protect against any attacks

The product is apparently trying to prevent all XSS but has three
independent types of mistakes described by the researcher.

>       $content = preg_replace('~<script.*?/script>~is', '', $content);
>       $content = preg_replace('~<style.*?/style>~is', '', $content);

>       $content = strip_tags($content);

Identifying only a short list of relevant elements (e.g., SCRIPT and
STYLE) and relying on strip_tags are both incomplete protection
mechanisms. Use CVE-2015-5592.

This specific use of preg_replace also has an implementation error,
noted by the researcher in the first "can be easily bypassed" example
involving multiple SCRIPT elements. Use CVE-2015-5593.

>       $content = html_entity_decode($content, ENT_QUOTES, 'UTF-8');

Finally, the placement of html_entity_decode after input sanitization
is inconsistent with the function's purpose. Use CVE-2015-5594.

> Directory Traversal

This has no CVE ID because it doesn't cross privilege boundaries.

> XSS 2
> admin.php?action=external&error=" onmouseover="alert('xsstest')" foo="bar

We don't think this is an independent type of issue. admin.php has a
call to sanitize($_GET['error']), and this seems to use
sanitize_string. The three CVE IDs related to sanitize_string also
apply to this admin.php behavior.

> Execute Function
> admin.php?action=phpinfo

> An admin user can execute any function they want via this URL (there
> is also no CSRF protection for it)

> I'm reporting this because as defense in depth, it's a good idea to
> not allow execution of arbitrary functions. I have not found a way to
> actually exploit it

We feel that action=ingres_connect seems to be a relevant example. says "If some
parameters are missing, ingres_connect() uses the values in php.ini
for ingres.default_database, ingres.default_user and
ingres.default_password." This is, more or less, a CSRF with resultant
SSRF: the attacker can cause a denial of service by triggering many
connections to a (victim-specified) remote Ingres database.

Use CVE-2015-5595 for this CSRF issue. An intentional call to
admin.php?action= doesn't cross privilege boundaries because it
requires that the attacker is an admin.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ