Users of ReviewPost PHP Pro and PhotoPost PHP Pro should update their programs to fix several security holes an attacker could exploit to launch malicious code or steal sensitive information, according to Gulfport, Miss.-based GulfTech Research and Development.
Asked if flaws in both products constitute a widespread threat, GulfTech founder and researcher James Bercegay said, "I am not sure how widely used ReviewPost is, but I do know a Google [search] of 'powered by PhotoPost' returns about a million results."
Bercegay is most concerned about an arbitrary file upload problem in ReviewPost. "Anyone with a user account on your Web site can upload malicious PHP scripts and other files and execute arbitrary code," he said by e-mail.
The firm's advisory added, "Once uploaded, these files can be executed with the permission of the Web server. The uploaded file can be found by following the image link in the review that was posted. Exploiting this vulnerability can be accomplished by naming a file with multiple file extensions (test.jpg.php.jpg.php, for example) and then uploading it when posting a review. It should be noted that the uploads are properly filtered (or seem to be) when editing a review, just not when creating a new review."
Similar problems plague both products
Both products contain cross-site scripting vulnerabilities. "This can be used to render hostile code in the context of the victim's browser, or to steal cookie-based credentials or other sensitive info," the advisories said. Both also suffer from SQL injection vulnerabilities that could be exploited "to influence SQL queries and disclose arbitrary data."
A SQL query is a request for some action to be performed on a database. With this kind of exploit, an attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data. Typically, on a Web form for user authentication, when a user enters their name and password into the text boxes provided for them, those values are inserted into a "select" query. If the values entered are found as expected, the user is allowed access; if they aren't found, access is denied. But most Web forms have no mechanisms in place to block input other than names and passwords. Unless such precautions are taken, an attacker can use the input boxes to send his own request to the database, which could allow him to download the entire database or interact with it in other illicit ways.
GulfTech has released a proof of concept for the PhotoPost issues after receiving criticism that the findings were inaccurate and unexploitable. Bercegay said the proof of concept is "relatively harmless," but will pull the private e-mail address of a user. "This could just as easily be an admin password hash," he said.
ReviewPost and PhotoPost are produced by All Enthusiast Inc. On its Web site, the vendor said PhotoPost was designed "to help you give your users exactly what they want. Your users will be thrilled to finally be able to upload and display their photos for your entire community to view and discuss, all with no more effort than it takes to post a text message to a forum."
Of ReviewPost, the vendor said: "Your community of users represents a wealth of knowledge. Now your users can help build and maintain your site by writing reviews of any product imaginable. With ReviewPost, you will quickly amass a valuable collection of user opinions about products that relate to your site. ReviewPost can even use your existing forum login system (if you have one) to keep your users from having to register twice, and makes an excellent companion to PhotoPost."
All Enthusiast Inc. has released ReviewPost 2.84 and PhotoPost 4.86 to fix the security holes.