| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Feb 2012 12:47:27 +0100
From: Andre Silaghi <andre.silaghi@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Fwd: Case YVS Image Gallery
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm just forwarding this for you. Hope you enjoy :)
- -------- Original-Nachricht --------
Betreff: [oss-security] Case YVS Image Gallery
Datum: Mon, 27 Feb 2012 13:32:52 +0200
Von: Henri Salo <henri@...v.fi>
Antwort an: oss-security@...ts.openwall.com
An: oss-security@...ts.openwall.com
Kopie (CC): corryl80@...il.com, bugtraq@...urityfocus.com
http://osvdb.org/show/osvdb/79477
The software "YVS Image Gallery" seems to be full of security issues.
For example one can have lots of fun with this. Copy from
installation.php:
"""
case(isset($_POST['db_name'])):
$host = $_POST['host'];
$db_name = $_POST['db_name'];
$db_user_name = $_POST['db_user_name'];
$db_password = $_POST['db_password'];
$admin_name = $_POST['admin_name'];
$admin_password = $_POST['admin_password'];
$o_host = $_POST['o_host'];
$o_db_name = $_POST['o_db_name'];
$o_db_user_name = $_POST['o_db_user_name'];
$o_db_password = $_POST['o_db_password'];
//read in the file
$file = "../functions/db_connect.php";
$fh = fopen($file, 'r+');
$contents = fread($fh, filesize($file));
//set up the text to change
$text_to_change = array();
$new_text = array();
$text_to_change[] = '$dbhost="'.$o_host.'"';
$text_to_change[] = '$dbuser="'.$o_db_user_name.'"';
$text_to_change[] = '$dbpass="'.$o_db_password.'"';
$text_to_change[] = '$dbname="'.$o_db_name.'"';
$new_text[] = '$dbhost="'.$host.'"';
$new_text[] = '$dbuser="'.$db_user_name.'"';
$new_text[] = '$dbpass="'.$db_password.'"';
$new_text[] = '$dbname="'.$db_name.'"';
$new_contents = str_replace($text_to_change, $new_text,
$contents);
fclose($fh);
// Open file to write
$fh = fopen($file, 'r+');
fwrite($fh, $new_contents);
fclose($fh);
//set up new admin user
include '../functions/db_connect.php';
db_connect();
"""
I'll bet this software is not used much, but I can list all problems I
can find if we want to assign CVE-identifiers to cases like these. No
contact information of developer found. Any ideas how to get these
fixed or get the code out of internet. The package is also hosted in
here: http://www.hotscripts.com/listing/yvs-image-gallery/ (and
probably others).
- - Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJPS21OAAoJEOtuXFFW9/UbSgMP/1nScj8Syt2ig84AEmY9D0fu
RvI79FPyKpKANaLCHGNBrwy5MCufjdWaE74aqxwHop44HZ0rkhxeKhBfZlq5FqVp
v+b7OBlLmKoU6HwofNajlVop7VZXdQicykLxfxTi0CnRhbOb1++cz4XqqHxHqzhj
xR/bg0Cm3IQoPd5bhT03W6X+f9IvwVHhU3JLaBUqAVVNtGJ/mx05E0gvaXK5Iguw
dFdv+/f798rDpQUAHA8QMA0dJ92/xdVJfAWHUFhN9OdF157kAsc8VRRq6IuIOr5Q
VmRHPZHe1yci+sUS2nUyY5VdcHE3Vga2iZWXIitketWBAqs0XqikszIe4wko2MzJ
xWST4+D0/ytG+w2f6J/F71NSwWNCRm/Q368bNkmqmxGajFSHCje+1fSQ7UlM6tSh
iua5IZcTynbRV9XPVPhYaulpGmXZYZ8yiB7kJF+Y/aTe/RxGcbquPVwRUFgEHGkn
TbXktN2hrcrA847c89LY0kwWsf9QLInCp/TavaV7jTcv4qLHSozRDt2mYna7TZs7
N6g76fCwA1ojowPvf9gHq4CtEUH+onVQViaUCj59eu+w6LlmW0kkTK9pQM0RAneN
dtKHcxn02AVSAY4ftsBNEFbUgoMrTqlc8aChDTvgpnN9kEmyMnUxuDjefbjk88gU
vRXGe1rldD0mOXJ5RoDf
=6I4a
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists