Hi.

[LoWNOISE] ImageFolio Pro 2.2
-----------------------------------------------------------------
                          by ET etcyberspace.org Colombia JuN/02

-[Product: BizDesign ImageFolio Pro Edition 2.2
              www.imagefolio.com

-[Description:

(Taken from website)

ImageFolio is a multi-platform, server-based, software
product suite that fully automates the process of viewing,
publishing, maintaining, distributing, archiving, and marketing
Web-based multimedia gallery. ImageFolio supports all media types,
including images, video, and sound.

-[Tested Versions:
                
                - V2.2 Professional Edition (UNIX),
                - (Maybe others)

-[In theory NOT vulnerable:

(After finding the little hole), Reading a small note in a new
instalation guide you find:

"To prevent other people from accessing the setup script directly
and adding themselves as a user, rename setup.cgi and update $setup_url
in your admin_config.pl to reflect this change. UPDATE: this is not needed anymore in version 2.27 and later since it has a build
in security check."

The problem is that they forgot about the many versions < 2.27 that
are active and running today. (and i havent seen any public warning
about it)
 

-[Problems:

+[Weak access control for administration area]

Lets say you are doing a PEN-TEST and you find that target is
running ImageFolio Pro v2.2, so you go directly to the admin area.

              http://host/cgi-bin/admin/admin.cgi

You need to autenticate, and you try the default (Admin/ImageFolio)
and ..nothing.

Dont worry. go to:

             http://host/cgi-bin/admin/setup.cgi

Create your own account, log in again, and you are in.

+[No validation of uploaded files]

Depending on the web server configuration you can upload some
cool files (php, cgi, pl) using the administration area. Then you can
refer directly to the file. ImageFolio doesnt validate the uploaded file type.

+[Encrypted Users passwords]

When you are inside the admin area you can modify users. In that
option you can grab the Encrypted password so you can use your
favorite cracker.

Theres no need to view the encrypted password, because imagefolio
uses a kind of session_id (uid).

+[Path Disclosure]

Go to create category and create this category:
../blah

/home/httpd/imagefolio//blah.
Reason: Permission denied.
                         (no comments..)

+[Others...

If you want to generate some extra work to the web server..

Generate some calls to http://target/cgi-bin/admin/nph-build.cgi
guess what. It isnt protected too.

-[Solution:

QUICKFIXES are just to FIX QUICK but nothing more!!. Renaming the setup.cgi
isnt a complete solution because exist others bugs out there to know the new
name of it. SO IF YOU FOLLOWED THAT NICE INSTALLATION PROCEDURE YOU ARE
NOT PROTECTED.

If you didnt rename it, RENAME IT and call ImageFolio for a PATCH =).

========[ThE End]==========

[LoWNOISE] ET etcyberspace.org
(h) HumanRights Reserved.
Colombia.
                                                           
narco-guerrilla.sucks.co

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]