ZenPhoto 1.4.8: Second Order SQL Injection, Reflected XSS, Path Traversal, Function Execution

  • Vulnerability: Second Order SQL Injection, Reflected XSS, Path Traversal, Function Execution
  • Affected Software: ZenPhoto
  • Affected Version: 1.4.8 (probably also prior versions)
  • Patched Version: 1.4.9
  • Risk: Medium
  • Vendor Contacted: 2015-05-18
  • Vendor Fix: 2015-07-09
  • Public Disclosure: 2015-07-10

ZenPhoto is an open-source CMS written in PHP with a focus on hosting images. There are multiple vulnerabilities in version 1.4.8, including SQL injection and XSS vulnerabilities.

Continue

Mod_Security Bypass Login (CRS, SQL Injection)

  • Vulnerability: Bypass mod_security to perform SQL injection (login bypass)
  • Affected Software: OWASP ModSecurity Core Rule Set
  • Affected Version: 2.2.9 (probably also prior versions)
  • Patched Version: 3.0.0
  • Risk: Low
  • Vendor Contacted: 2014-12-07 via mail, 2015-02-18 via github
  • Vendor Fix: 2014-12-09 (in dev tree, independent of report)
  • Public Disclosure: 2015-02-18 on github

Mod_Security & Core Rule Set

mod_security is an Intrusion Detection System / Web Application Firewall for Apache, IIS, and nginx developed by SpiderLabs. As a filter list it uses the OWASP ModSecurity Core Rule Set.

Injection Payload

Using the Core ModSecurity Rule Set ver.2.2.9 with default configuration, SecRuleEngine On, and all base_rules enabled, it is possible to inject the following payload, which can be used to bypass filters in SQL queries:

foo' or true #
foo' or false #

Continue