[LoWNOISE] ImageFolio Pro 2.2

From: ET LoWNOISE (etat_private)
Date: Sat Jun 08 2002 - 23:19:35 PDT

Next message: SGI Security Coordinator: "IRIX talkd vulnerability"

Previous message: Ahmet Sabri ALPER: "[ARL02-A14] ZenTrack System Information Path Disclosure Vulnerability"
In reply to: Frog Man: "Security holes in LokwaBB and W-Agora"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi.

[LoWNOISE] ImageFolio Pro 2.2         
-----------------------------------------------------------------
                          by ET etat_private Colombia JuN/02 


-[Product:    BizDesign ImageFolio Pro Edition 2.2
              www.imagefolio.com		


-[Description:

(Taken from website)

ImageFolio is a multi-platform, server-based, software
product suite that fully automates the process of viewing,
publishing, maintaining, distributing, archiving, and marketing
Web-based multimedia gallery. ImageFolio supports all media types, 
including images, video, and sound.


-[Tested Versions: 
		
		- V2.2 Professional Edition (UNIX), 
		- (Maybe others)

-[In theory NOT vulnerable:

(After finding the little hole), Reading a small note in a new 
instalation guide you find:

"To prevent other people from accessing the setup script directly 
and adding themselves as a user, rename setup.cgi and update $setup_url 
in your admin_config.pl to reflect this change. UPDATE: this is not needed anymore in version 2.27 and later since it has a build 
in security check."

The problem is that they forgot about the many versions < 2.27 that 
are active and running today. (and i havent seen any public warning 
about it) 
 

-[Problems:

+[Weak access control for administration area]

Lets say you are doing a PEN-TEST and you find that target is 
running ImageFolio Pro v2.2, so you go directly to the admin area.

              http://host/cgi-bin/admin/admin.cgi

You need to autenticate, and you try the default (Admin/ImageFolio) 
and ..nothing.

Dont worry. go to:

             http://host/cgi-bin/admin/setup.cgi

Create your own account, log in again, and you are in. 

+[No validation of uploaded files] 

Depending on the web server configuration you can upload some 
cool files (php, cgi, pl) using the administration area. Then you can 
refer directly to the file. ImageFolio doesnt validate the uploaded file type. 

+[Encrypted Users passwords]

When you are inside the admin area you can modify users. In that 
option you can grab the Encrypted password so you can use your 
favorite cracker. 

Theres no need to view the encrypted password, because imagefolio 
uses a kind of session_id (uid). 


+[Path Disclosure]

Go to create category and create this category:
../blah

/home/httpd/imagefolio//blah.
Reason: Permission denied. 
                         (no comments..)


+[Others...

If you want to generate some extra work to the web server..

Generate some calls to http://target/cgi-bin/admin/nph-build.cgi
guess what. It isnt protected too. 

-[Solution:

QUICKFIXES are just to FIX QUICK but nothing more!!. Renaming the setup.cgi 
isnt a complete solution because exist others bugs out there to know the new 
name of it. SO IF YOU FOLLOWED THAT NICE INSTALLATION PROCEDURE YOU ARE 
NOT PROTECTED.

If you didnt rename it, RENAME IT and call ImageFolio for a PATCH =).

========[ThE End]==========

[LoWNOISE] ET etat_private
(h) HumanRights Reserved.
Colombia.
                                                           
narco-guerrilla.sucks.co

Next message: SGI Security Coordinator: "IRIX talkd vulnerability"
Previous message: Ahmet Sabri ALPER: "[ARL02-A14] ZenTrack System Information Path Disclosure Vulnerability"
In reply to: Frog Man: "Security holes in LokwaBB and W-Agora"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 10 2002 - 11:20:48 PDT