TUCoPS :: Web :: Apps :: web5447.htm

ImageFolio Pro weak access control for administration area, path disclosure, and more
14th Jun 2002 [SBWID-5447]
COMMAND

	ImageFolio  Pro  weak  access  control  for  administration  area,  path
	disclosure, and more

SYSTEMS AFFECTED

	 V2.2 Professional Edition (UNIX)

	 (Maybe others)

	

PROBLEM

	[LoWNOISE] ET et@cyberspace.org found following:
	

	ImageFolio is a multi-platform,  server-based,  software  product  suite
	that fully automates the process of  viewing,  publishing,  maintaining,
	distributing, archiving, and  marketing  Web-based  multimedia  gallery.
	ImageFolio supports  all  media  types,  including  images,  video,  and
	sound. [http://www.imagefolio.com]
	

	

	 Weak access control for administration area

	 -------------------------------------------

	

	Lets say you are doing a PEN-TEST and you find that  target  is  running
	ImageFolio Pro v2.2, so you go directly to the admin area.
	

	

	              http://host/cgi-bin/admin/admin.cgi

	

	

	You need to autenticate, and you try the default (Admin/ImageFolio)  and
	..nothing.
	

	Dont worry. go to:
	

	

	             http://host/cgi-bin/admin/setup.cgi

	

	

	Create your own account, log in again, and you are in.
	

	

	 No validation of uploaded files

	 -------------------------------

	

	Depending on the web server  configuration  you  can  upload  some  cool
	files (php, cgi, pl) using the administration area. Then you  can  refer
	directly to the file.  ImageFolio  doesnt  validate  the  uploaded  file
	type.
	

	

	 Encrypted Users passwords

	 -------------------------

	

	When you are inside the admin area you can modify users. In that  option
	you can grab the  Encrypted  password  so  you  can  use  your  favorite
	cracker.
	

	Theres no need to view the encrypted password, because  imagefolio  uses
	a kind of session_id (uid).
	

	

	 Path Disclosure

	 ---------------

	

	Go to create category and create this category:
	

	../blah

	

	/home/httpd/imagefolio//blah.

	Reason: Permission denied. 

	

	

	                         (no comments..)

	

	

	 Others...

	 ---------

	

	If you want to generate some extra work to the web server..
	

	Generate some calls to  http://target/cgi-bin/admin/nph-build.cgi  guess
	what. It isnt protected too.

SOLUTION

	QUICKFIXES are just to  FIX  QUICK  but  nothing  more!!.  Renaming  the
	setup.cgi isnt a complete solution because exist others bugs  out  there
	to know the new name of it. SO IF YOU FOLLOWED  THAT  NICE  INSTALLATION
	PROCEDURE YOU ARE NOT PROTECTED.
	

	If you didnt rename it, RENAME IT and call ImageFolio for a PATCH =).
	

	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH