Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 18 Jul 2015 11:41:15 -0400 (EDT)
From: cve-assign@...re.org
To: henri@...v.fi
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Zenphoto before 1.4.9 multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Can I get CVEs for vulnerabilities fixed in Zenphoto 1.4.9 ...
> http://www.zenphoto.org/news/zenphoto-1.4.9 says "Fixes several SQL Injection,
> XSS and path traversal

> http://software-talk.org/blog/2015/07/second-order-sql-injection-reflected-xss-path-traversal-function-execution-vulnerability-zenphoto/

For purposes of CVE assignments, one important part of this blog post
is:

  In practice, it doesn't matter, because an attacker can just edit a
  legitimate PHP theme file and inject <?php passthru($_GET['c']) ?>

In other words, it appears that the design of Zenphoto intentionally
gives the admin an ability to execute arbitrary code on the server.
This ability apparently also extends to users with the THEMES_RIGHTS
right. The researcher suggests:

  It is still a good idea to fix this, as users might disable the
  file edit functionality themselves to increase security.

We couldn't immediately find documentation suggesting that there is a
supported way to use the product without letting an admin execute
arbitrary code (e.g., by deleting/changing admin-themes-editor.php or
possibly other files). In general, the scope of CVE doesn't include
questionable behaviors that have security relevance only if a user
modifies a product.

Now, to consider the individual issues:

> There are multiple second order error based SQL injections into the
> ORDER BY keyword in the admin area.

This seems to allow exploitation by users who have only the
OPTIONS_RIGHTS right. Use CVE-2015-5591.


> XSS 1
> sanitize_string, which does not adequately protect against any attacks

The product is apparently trying to prevent all XSS but has three
independent types of mistakes described by the researcher.

>       $content = preg_replace('~<script.*?/script>~is', '', $content);
>       $content = preg_replace('~<style.*?/style>~is', '', $content);

>       $content = strip_tags($content);

Identifying only a short list of relevant elements (e.g., SCRIPT and
STYLE) and relying on strip_tags are both incomplete protection
mechanisms. Use CVE-2015-5592.

This specific use of preg_replace also has an implementation error,
noted by the researcher in the first "can be easily bypassed" example
involving multiple SCRIPT elements. Use CVE-2015-5593.

>       $content = html_entity_decode($content, ENT_QUOTES, 'UTF-8');

Finally, the placement of html_entity_decode after input sanitization
is inconsistent with the function's purpose. Use CVE-2015-5594.


> Directory Traversal

This has no CVE ID because it doesn't cross privilege boundaries.


> XSS 2
> admin.php?action=external&error=" onmouseover="alert('xsstest')" foo="bar

We don't think this is an independent type of issue. admin.php has a
call to sanitize($_GET['error']), and this seems to use
sanitize_string. The three CVE IDs related to sanitize_string also
apply to this admin.php behavior.


> Execute Function
> admin.php?action=phpinfo

> An admin user can execute any function they want via this URL (there
> is also no CSRF protection for it)

> I'm reporting this because as defense in depth, it's a good idea to
> not allow execution of arbitrary functions. I have not found a way to
> actually exploit it

We feel that action=ingres_connect seems to be a relevant example.
http://php.net/manual/function.ingres-connect.php says "If some
parameters are missing, ingres_connect() uses the values in php.ini
for ingres.default_database, ingres.default_user and
ingres.default_password." This is, more or less, a CSRF with resultant
SSRF: the attacker can cause a denial of service by triggering many
connections to a (victim-specified) remote Ingres database.

Use CVE-2015-5595 for this CSRF issue. An intentional call to
admin.php?action= doesn't cross privilege boundaries because it
requires that the attacker is an admin.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVqm1+AAoJEKllVAevmvms2ccH/3lD5AOAzdh9YtJBP+rBv4OO
RMb0QpjWKcEWjXXMZzLeYQLiHX0HG63+NIpTajrTgCMRoWyjZB+ay+XkH6mbFvB3
wiMm9IP6IVx7nfc8jzJLJtHfMrGgczr06i0sUPWoncVE1nIv6ErS/qrCbW7CL2BU
/0lkuWeX4G18aANWrULuxKxrzLhx+fy4jvSHNQPab6Hje6amxEtQZkxp3df2oHIT
/CFICBItz4mo3JvuhMJqzFGoqp+C+itPwO+S+9Uromw7XIA/aztdUesDANY2OjvH
eso6opnRHWql4WfKvR9TyuLio54kK96BaD61H6nCahcoe6J2BYP19wP4nlzf8RE=
=/q0j
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.