Vulnerabilities > CVE-2005-0928 - Unspecified vulnerability in Photopost PHP PRO 5.02

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
photopost
nessus
exploit available
NVD
Published: 2005-05-02
Updated: 2016-10-18

Summary

Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP Pro 5.x allow remote attackers to inject arbitrary web script or HTML via the (1) cat, (2) password, (3) ppuser, (4) sort, or (5) si parameters to showgallery.php, the (6) ppuser, (7) sort, or (8) si parameters to showmembers.php, or (9) the photo parameter to slideshow.php.

Vulnerable Configurations

Part Description Count
Application
Photopost
1

Exploit-Db

  • descriptionPhotoPost Pro 5.1 showgallery.php Multiple Parameter XSS. CVE-2005-0928. Webapps exploit for php platform
    idEDB-ID:25308
    last seen2016-02-03
    modified2005-03-28
    published2005-03-28
    reporterDiabolic Crab
    sourcehttps://www.exploit-db.com/download/25308/
    titlePhotoPost Pro 5.1 showgallery.php Multiple Parameter XSS
  • descriptionPhotoPost Pro 5.1 showmembers.php Multiple Parameter XSS. CVE-2005-0928. Webapps exploit for php platform
    idEDB-ID:25309
    last seen2016-02-03
    modified2005-03-28
    published2005-03-28
    reporterDiabolic Crab
    sourcehttps://www.exploit-db.com/download/25309/
    titlePhotoPost Pro 5.1 showmembers.php Multiple Parameter XSS
  • descriptionPhotoPost Pro 5.1 slideshow.php photo Parameter XSS. CVE-2005-0928. Webapps exploit for php platform
    idEDB-ID:25310
    last seen2016-02-03
    modified2005-03-28
    published2005-03-28
    reporterDiabolic Crab
    sourcehttps://www.exploit-db.com/download/25310/
    titlePhotoPost Pro 5.1 slideshow.php photo Parameter XSS

Nessus

NASL familyCGI abuses
NASL idPHOTOPOST_MULTIPLE_INPUT_VULNS.NASL
descriptionThe version of PhotoPost PHP installed on the remote host is prone to multiple input validation vulnerabilities: o Multiple SQL Injection Vulnerabilities The application fails to properly sanitize user-input via the
last seen2020-06-01
modified2020-06-02
plugin id17649
published2005-03-30
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/17649
titlePhotoPost < 5.1 Multiple Input Validation Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(17649);
  script_version("1.18");

  script_cve_id("CVE-2005-0928", "CVE-2005-0929");
  script_bugtraq_id(12920);

  script_name(english:"PhotoPost < 5.1 Multiple Input Validation Vulnerabilities");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
several vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The version of PhotoPost PHP installed on the remote host is prone to
multiple input validation vulnerabilities:

  o Multiple SQL Injection Vulnerabilities
    The application fails to properly sanitize user-input via
    the 'sl' parameter of the 'showmembers.php' script, and 
    the 'photo' parameter of the 'showphoto.php' script. An 
    attacker can exploit these flaws to manipulate SQL 
    queries, possibly destroying or revealing sensitive data.

  o Multiple Cross-Site Scripting Vulnerabilities
    The application fails to properly sanitize user-input via
    the 'photo' parameter of the 'slideshow.php' script, the
    'cat', 'password', 'si', 'ppuser', and 'sort' parameters
    of the 'showgallery.php' script, and the 'ppuser', 'sort', 
    and 'si' parameters of the 'showmembers.php' script.
    An attacker can exploit these flaws to inject arbitrary 
    HTML or code script in a user's browser in the context of 
    the affected website, resulting in theft of 
    authentication data or other such attacks." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Mar/483" );
 script_set_attribute(attribute:"solution", value:
"The issues are reportedly fixed by upgrading to PhotoPost PHP version
5.1." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/03/30");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/03/28");
 script_cvs_date("Date: 2018/11/15 20:50:18");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:photopost:photopost_php");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:photopost:photopost_php_pro");
 script_end_attributes();

  script_summary(english:"Checks for multiple input validation vulnerabilities in PhotoPost PHP");
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
  script_dependencies("photopost_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/photopost");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);


# Test an install.
install = get_kb_item(string("www/", port, "/photopost"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
  dir = matches[2];

  # Try some SQL injection exploits.
  exploits = make_list(
    "/showmembers.php?sl='nessus",
    "/showphoto.php?photo='nessus"
  );
  foreach exploit (exploits) {
    r = http_send_recv3(method:"GET",item:string(dir, exploit), port:port);
    if (isnull(r)) exit(0);
    res = r[2];
    if (
      egrep(string:res, pattern:"argument is not a valid MySQL result resource") ||
      egrep(string:res, pattern:">MySQL error reported!<.+>Script:")
    ) {
      security_hole(port);
      set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
      exit(0);
    }
  }
}

References