Photo Station, a web application, allows users to upload and share photos over the Internet using a Turbo NAS (Network-Attached Storage). As a result of a short directory bruteforce I performed recently, I discovered a "/photo/" directory within the application.
Through this directory I achieved guest access although the account did not have access to any photo albums. When logging in as a guest user (and promptly being logged out again due to no albums being shared with the account), I had an inkling that useful items of functionality may have been exposed.
Upon further investigation, I noticed that a "/photo/p/api/list.php" script was being called along with various values to a "t" parameter to retrieve photo albums. I replayed the request (as an unauthenticated user) and the API responded. I then fuzzed this "t" parameter for various values (again as an unauthenticated user) to try and find something interesting.
With the table results from my Burp Intruder session glaring down brightly from my screen, I scrolled down to review the response lengths of each request.
In reviewing the request "/photo/p/api/list.php?t=users" I thought I might be onto something.
Here is the actual raw response, an XML file:
0
0
Admin
administrator
502
REMOVED
Linux User
501
REMOVED
Linux User
500
REMOVED
Linux User
none
This particular Photo Station API reveals users of the operating system. With this information, an attacker could attempt a bruteforce attack on the user credentials or make use of them in tandem with another vulnerability.
The vendor was informed of and has since fixed this vulnerability in firmware 4.0.3 build 0912.
