Abysssec Research
1) Advisory information
| Title | Zenphoto config update and command execute Vulnerability |
| Affected | Zenphoto <= 1.3 |
| Discovery | www.abysssec.com |
| Vendor | http://www.zenphoto.org |
| Impact | Critical |
| Contact | shahin [at] abysssec.com , info [at] abysssec.com |
| @abysssec |
2) Vulnerability Information
| Class | Remote Config Update Remote Command Execute |
| Impact | Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying application/server. |
| Remotely Exploitable | Yes |
| Locally Exploitable | No |
3) Vulnerabilities detail
Remote Config Update
———-
Line 25 :
———-
1 2 | Setup Config file CONFIGFILE : define('CONFIGFILE',dirname(dirname(__FILE__)).'/'.DATA_FOLDER.'/zp-config.php'); |
Setup.php is looks secure in first view and if zp-Config.php be available, MySQL can connect to server, setup.php will read administrator Table from MySQL database & question User/Pass from you.
———–
line 128 :
———–
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | UPDATE Config File WITH poor Security CHECK : IF (isset($_POST['mysql'])) { //try TO UPDATE the zp-config file setupLog(gettext("MySQL POST handling")); $updatezp_config = TRUE; IF (isset($_POST['mysql_user'])) { updateItem('mysql_user', $_POST['mysql_user']); } IF (isset($_POST['mysql_pass'])) { updateItem('mysql_pass', $_POST['mysql_pass']); } IF (isset($_POST['mysql_host'])) { updateItem('mysql_host', $_POST['mysql_host']); } IF (isset($_POST['mysql_database'])) { updateItem('mysql_database', $_POST['mysql_database']); } IF (isset($_POST['mysql_prefix'])) { updateItem('mysql_prefix', $_POST['mysql_prefix']); } } |
And then write Config file without check:
1 2 3 4 5 6 7 8 9 10 11 12 | if ($updatezp_config) { @chmod(CONFIGFILE, 0666 & $chmod); if (is_writeable(CONFIGFILE)) { if ($handle = fopen(CONFIGFILE, 'w')) { if (fwrite($handle, $zp_cfg)) { setupLog(gettext("Updated zp-config.php")); $base = true; } } fclose($handle); } } |
After changing admin password you can Edit themes from themes Tab and Upload your malignant PHP file and execute your own commands.
Check out the Zenphoto Config Update and Command Execute Vulnerability Exploit.