Zenphoto Installation Sensitive Information

What is the "Zenphoto Installation Sensitive Information" module?

The "Zenphoto Installation Sensitive Information" module is a test case designed to detect misconfigurations in Zenphoto, a specific version of the software that is older than 1.5.X. This module aims to identify instances where sensitive information related to the Zenphoto installation is exposed, potentially leading to unauthorized access or other security risks. The severity of this module is classified as medium.

Impact

If the Zenphoto installation is misconfigured and sensitive information is exposed, it can pose a significant risk to the security and integrity of the system. Attackers may gain unauthorized access to the installation, potentially compromising user data, modifying content, or executing malicious actions.

How the module works?

The "Zenphoto Installation Sensitive Information" module works by sending HTTP requests to specific paths commonly associated with the Zenphoto setup process. It then applies matching conditions to determine if the response indicates the presence of sensitive information. The module checks for the presence of the phrase "Welcome to Zenphoto! This page will set up Zenphoto" in the response body, a "text/html" content type in the response header, and a 200 status code. If all conditions are met, the module flags the installation as potentially exposing sensitive information.

Here is an example of an HTTP request sent by the module:

GET /zenphoto/zp-core/setup/index.php

The module's matching conditions are as follows:

- The response body must contain the phrase "Welcome to Zenphoto! This page will set up Zenphoto". - The response header must have a content type of "text/html". - The response status code must be 200.

By analyzing the responses and applying these conditions, the module helps identify instances where the Zenphoto installation may be misconfigured and exposing sensitive information.