----------------------------------------------------------------------

BETA test the new Secunia Personal Software Inspector!

The Secunia PSI detects installed software on your computer and
categorises it as either Insecure, End-of-Life, or Up-To-Date.
Effectively enabling you to focus your attention on software
installations where more secure versions are available from the
vendors.

Download the free PSI BETA from the Secunia website:
https://psi.secunia.com/

----------------------------------------------------------------------

TITLE:
EZPhotoSales Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA26341

VERIFY ADVISORY:
http://secunia.com/advisories/26341/

CRITICAL:
Highly critical

IMPACT:
Security Bypass, Cross Site Scripting, Exposure of sensitive
information, System access

WHERE:
>From remote

SOFTWARE:
EZPhotoSales 1.x
http://secunia.com/product/15266/

DESCRIPTION:
Seth Fogie has reported some vulnerabilities and security issues in
EZPhotoSales, which can be exploited by malicious people to disclose
sensitive information and bypass certain security restrictions, and
by malicious users to conduct script insertion attacks and compromise
a vulnerable system.

1) It is possible to bypass the gallery access authentication by
directly accessing an image folder in the web browser.

2) A security issue is caused due to information being stored in
data/galleries.txt inside the web root. This can be exploited to
disclose the passwords for all galleries.

Successful exploitation of this vulnerability requires that the
administrator has not changed to an alternate location for this
file.

3) A security issue is caused due to information being stored in
configuration/config.dat inside the web root. This can be exploited
to disclose administrator username hashes and password hashes, which
can then be used for logging in as administrator.

4) Input passed to the "Title" parameter when changing settings is
not properly sanitised before being stored. This can be exploited to
insert arbitrary HTML and script code, which is executed in a user's
browser session in context of an affected site when the malicious
data is viewed.

Successful exploitation of this vulnerability requires valid
administrator credentials (but see #3).

5) The file upload functionality fails to validate the extension of
an uploaded file. This can be exploited to upload files with
arbitrary extensions (e.g. ".php") and execute arbitrary PHP code on
the server.

Successful exploitation of this vulnerability requires valid
administrator credentials (but see #3).

The vulnerabilities and security issues are reported in version
1.9.3. Other versions may also be affected.

SOLUTION:
Restrict web access (e.g. with ".htaccess") to the configuration/ and
data/ directories.

Use another product.

PROVIDED AND/OR DISCOVERED BY:
Seth Fogie

ORIGINAL ADVISORY:
http://www.airscanner.com/security/07080601_ezphotosales.htm

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------