Home General support

Vulnerability in Zenphoto

Matthijs Member
in General support
Since I can't find any contact info and there is no mention of this on the front-page or elsewhere: are the developers and users of Zenphoto aware of the vulnerabilities which can be exploited by malicious people to conduct SQL injection attacks.

It's on the secunia site, so in public. Everybody better fix their code!

Comments

  • acrylian Administrator, Developer
    Thanks for reporting. The forum is the right place to contact us. Creating a ticket in the bugtracker would be a good idea for these kind of reports, too.

    But anyway, for your interesst:
    The rss feed sql injection issue has been already reported and is solved in the nightly build and will be in 1.1.4 which is on it's way.

    The second report I found on the secunia site is stated for zenphoto 1.0.4 to 1.0.6 and to be solved in 1.0.7.
    These versions are clearly outdated.
  • sbillard Member
    Are you concerned about a particular problem? If so, which. So far as I can see on the secunia site, it reports two problems. Neither are currently issues.
  • Matthijs Member
    I was talking about the rss feed issue. If it' solved in the 1.1.4 nightly, then that's fine.

    @sbillard: the vulnerability still exists in the 1.1.3 release I downloaded today.
  • Matthijs Member
    By the way, thanks for the fast responses. If I have some time I'll see if I can find more problems. In rss.php for example, several input variables are used for html output without any escaping (or input validation). $_SERVER["HTTP_HOST"] and albumname for example. A simple htmlentities($var, ENT_QUOTES, 'UTF-8') should be used there.

    For the HTTP_HOST story, see also http://shiflett.org/blog/2006/mar/server-name-versus-http-host
  • trisweb Administrator
    SQL-injection and XSS vulnerabilities fixed in rss.php in SVN and tonight's nightly. Do we have any others?

    Thanks for the tip on HTTP_HOST.
  • jlang Member
    I'm impressed that these are being fixed as soon as they are being found. Is there a general strategy for handling potentially unclean data?
  • Matthijs Member
    It's indeed good these are fixed quickly. But I'm less impressed with the fact that these errors were in the code in the first place. I really don't want to blame anyone or sound too negative, but if you look at the code:
    At line 8 and 9 $_GET variables are included. Just 10 lines lower one of them is echo'd out without any escaping or validation.
    Another 20 lines down one of them is used directly in a query. Again without any validation or escaping.

    These are so obvious and easy to spot. Why have they been overlooked? And what about the possible harder to spot vulnerabilities?

    I think it would be a lot better to rewrite the code in such a way that there are a few distinct groups of variables. One is raw input (GET, POST, SERVER, etc). The second is a $clean array, only containing validated content. So
    `$clean = array();

    $clean['somenumericid'] = (int)$_GET['someid'];

    `
    for a variable which must be an integer
    etc etc
    Then the third and fourth are used in output to HTML and output to mysql:
    `

    $html = array();

    $sql = array();

    $html['somevar'] = htmlentities($clean['somevar'], ENT_QUOTES, 'UTF-8');

    $sql['var'] = mysql_real_escape_string($clean['var']);

    `
    Everybody familiar with Chris Shifflet's work will recognize the ideas.

    If there's any help needed, I would be willing to help. I use zenphoto and it's a great piece of software and I'm thankful to the developers who have put a lot of work in it.
  • acrylian Administrator, Developer
    Well, I feel indeed a little blamed since I made this feed (although based on the work of others). These issues were not that obvious for me and I never heard of Chris Shifflet. But I am not a security expert and my roots are in design and not programming. But I can learn from mistakes.

    If you look at the new rss code in the nightly, we use already existing functions called sanitize and sanitize_numeric to validate the input now. You find them in zp-core/functions.php if you want to take a look at their code.

    So if you have the indepth knowledge, the time to help you are welcome. Create an account on the trac, then you can create tickets and attach fixes if you find anything more.
  • Matthijs Member
    Hi acrylian, thanks for your reply. Shiflett can be found on http://shiflett.org/. He wrote a very good book on php security. It's quite small and an easy read. Not as in-depth as other books, but it makes the principles very clear. Good for a start.

    Indeed, I saw that the new rss is updated. However, there is still some un-escaped output ($albumname and $_SERVER["HTTP_HOST"]). Even though $albumname has been "validated" (I haven't looked at the sanitize function yet, so don't know what that does), it still needs escaping. And for the $_SERVER["HTTP_HOST"]: on line 60 further down there is a escaped variable created, $host. If that one is placed earlier in the code and then used in place of the echo'd $_SERVER["HTTP_HOST"] in line 30 that is solved as well.

    I will create an account on the trac and maybe I'll be able to help.
  • acrylian Administrator, Developer
    We have fixed the second $_SERVER issue in the svn as you suggested.
  • binoyte Member
    http://secunia.com/advisories/47875/

    There is a new secunia advisory ( 2012-02-09) about vulnerabilty in ZenPhoto. What about ??

    The 1.4.2.1 is not a security update.

    Edit : Sorry I had better to read first before speaking.
  • acrylian Administrator, Developer
    No problem. Generally we don't always advertise fixed small security issues explicitly, we do only on really severe issue as with 1.4.1.6. It is really recommended to stay tuned!
Sign In or Register to comment.