---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: EZPhotoSales Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26341 VERIFY ADVISORY: http://secunia.com/advisories/26341/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: EZPhotoSales 1.x http://secunia.com/product/15266/ DESCRIPTION: Seth Fogie has reported some vulnerabilities and security issues in EZPhotoSales, which can be exploited by malicious people to disclose sensitive information and bypass certain security restrictions, and by malicious users to conduct script insertion attacks and compromise a vulnerable system. 1) It is possible to bypass the gallery access authentication by directly accessing an image folder in the web browser. 2) A security issue is caused due to information being stored in data/galleries.txt inside the web root. This can be exploited to disclose the passwords for all galleries. Successful exploitation of this vulnerability requires that the administrator has not changed to an alternate location for this file. 3) A security issue is caused due to information being stored in configuration/config.dat inside the web root. This can be exploited to disclose administrator username hashes and password hashes, which can then be used for logging in as administrator. 4) Input passed to the "Title" parameter when changing settings is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed. Successful exploitation of this vulnerability requires valid administrator credentials (but see #3). 5) The file upload functionality fails to validate the extension of an uploaded file. This can be exploited to upload files with arbitrary extensions (e.g. ".php") and execute arbitrary PHP code on the server. Successful exploitation of this vulnerability requires valid administrator credentials (but see #3). The vulnerabilities and security issues are reported in version 1.9.3. Other versions may also be affected. SOLUTION: Restrict web access (e.g. with ".htaccess") to the configuration/ and data/ directories. Use another product. PROVIDED AND/OR DISCOVERED BY: Seth Fogie ORIGINAL ADVISORY: http://www.airscanner.com/security/07080601_ezphotosales.htm ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------