Home page logo

bugtraq logo Bugtraq mailing list archives

[LoWNOISE] ImageFolio Pro 2.2
From: ET LoWNOISE <et () cyberspace org>
Date: Sun, 9 Jun 2002 02:19:35 -0400 (EDT)


[LoWNOISE] ImageFolio Pro 2.2         
                          by ET et () cyberspace org Colombia JuN/02 

-[Product:    BizDesign ImageFolio Pro Edition 2.2


(Taken from website)

ImageFolio is a multi-platform, server-based, software
product suite that fully automates the process of viewing,
publishing, maintaining, distributing, archiving, and marketing
Web-based multimedia gallery. ImageFolio supports all media types, 
including images, video, and sound.

-[Tested Versions: 
                - V2.2 Professional Edition (UNIX), 
                - (Maybe others)

-[In theory NOT vulnerable:

(After finding the little hole), Reading a small note in a new 
instalation guide you find:

"To prevent other people from accessing the setup script directly 
and adding themselves as a user, rename setup.cgi and update $setup_url 
in your admin_config.pl to reflect this change. UPDATE: this is not needed anymore in version 2.27 and later since it 
has a build 
in security check."

The problem is that they forgot about the many versions < 2.27 that 
are active and running today. (and i havent seen any public warning 
about it) 


+[Weak access control for administration area]

Lets say you are doing a PEN-TEST and you find that target is 
running ImageFolio Pro v2.2, so you go directly to the admin area.


You need to autenticate, and you try the default (Admin/ImageFolio) 
and ..nothing.

Dont worry. go to:


Create your own account, log in again, and you are in. 

+[No validation of uploaded files] 

Depending on the web server configuration you can upload some 
cool files (php, cgi, pl) using the administration area. Then you can 
refer directly to the file. ImageFolio doesnt validate the uploaded file type. 

+[Encrypted Users passwords]

When you are inside the admin area you can modify users. In that 
option you can grab the Encrypted password so you can use your 
favorite cracker. 

Theres no need to view the encrypted password, because imagefolio 
uses a kind of session_id (uid). 

+[Path Disclosure]

Go to create category and create this category:

Reason: Permission denied. 
                         (no comments..)


If you want to generate some extra work to the web server..

Generate some calls to http://target/cgi-bin/admin/nph-build.cgi
guess what. It isnt protected too. 


QUICKFIXES are just to FIX QUICK but nothing more!!. Renaming the setup.cgi 
isnt a complete solution because exist others bugs out there to know the new 

If you didnt rename it, RENAME IT and call ImageFolio for a PATCH =).

========[ThE End]==========

[LoWNOISE] ET et () cyberspace org
(h) HumanRights Reserved.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]