Pixelpost (Calendar addon 1.1.6) 1.7.3 Multiple vulnerabilities Name Pixelpost (Calendar 1.1.6) 1.7.3 Multiple vulnerabilities Systems Affected Pixelpost v1.7.3 Severity High Impact High 10/10, vector (AV:N/AC:L/Au:N/C:C/I:C/A:C) Vendor http://www.pixelpost.org/ Advisory http://www.ush.it/team/negator/hack-pixelpost_173/adv.txt Author Simone "negator" Onofri Date 20110407 I. BACKGROUND Pixelpost is an open-source, standards-compliant, multi-lingual, fully extensible photoblog application for the web. II. DESCRIPTION Pixelpost "Calendar", a pretty looking image gallery written in PHP, is vulnerable to Blind SQL Injection and XSS. III. ANALYSIS Summary: A) Blind SQL Injection (SQLI) Vulnerability B) Reflected Cross Site Scirpting (XSS) Vulnerability A) Blind SQL Injection (SQLI) Vulnerability A blind SQL Injection vulnerability exists in Pixelpost version 1.7.3. The calendar functionality must be enabled, it's an addon distributed with the package but disabled by default. The GET variable "category" inserted into a SELECT query without sanitization and/or cast to an integer type on "addon/calendar.php": --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $query2 = mysql_query("SELECT a.* FROM ".$pixelpost_db_prefix."pixelpost a, ".$pixelpost_db_prefix."catassoc b WHERE b.cat_id = '" . $_GET["category"] . "' AND a.id = b.image_id AND (a.datetime like '$prev_browsing_month_day%') ORDER BY a.datetime desc limit 1"); --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- It's possible to exploit the issue in the standard blind way, for example using TRUE/FALSE statements (tautology based bisection). --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- http://www.example.com/pixelpost/index.php?curr_month=4&curr_year=2011&showimage=3&category=10'+AND+'1'='1 http://www.example.com/pixelpost/index.php?curr_month=4&curr_year=2011&showimage=3&category=10'+AND+'1'='0 --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- B) Reflected Cross Site Scripting (XSS) Vulnerability A Reflected Cross Site Scripting vulnerability exists in Pixelpost version 1.7.3 in the shipped by default but disabled calendar addon. The GET variables "curr_year" and "category" are reflected in page without proper encoding on "addon/calendar.php": --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $cal_vz .= "
&la quo; | $asc_mon-$curr_year | &ra quo; | ||||