[UNIX] SGallery Multiple Vulnerabilities (SQL Injection, Path Disclosure, File Inclusion)

From: SecuriTeam (support_at_securiteam.com)
Date: 01/17/05

  • Next message: SecuriTeam: "[NT] Internet Explorer Handling of %20 Allows Spoofing" 
    To: list@securiteam.com
Date: 17 Jan 2005 14:08:57 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      SGallery Multiple Vulnerabilities (SQL Injection, Path Disclosure, File
    Inclusion)
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.ser.acmetelecom.ru/> SGallery is "a image gallery generating
    module for PHP-Nuke". Multiple vulnerabilities have been discovered in the
    product allowing a remote attacker to: inject arbitrary SQL statements,
    disclose the path under which the product has been installed and include
    and execute external files.

    DETAILS

    Vulnerable Systems:
     * SGallery version 1.01 and prior

    Vulnerable code:
    Let's look at source code from imageview.php:
    require_once("$DOCUMENT_ROOT/config.php");
    require_once("$DOCUMENT_ROOT/includes/sql_layer.php");
      
      $dbi = sql_connect ($dbhost,$dbuname,$dbpass,$dbname);

      if ($idalbum) {
        $result = sql_query("select picture from ".$prefix."_SGalbums where
    idalbum=".$idalbum,$dbi);
      } elseif ($idimage) {
        $result = sql_query("select picture from ".$prefix."_SGimages where
    idimage=".$idimage,$dbi);
      }

      list($echo) = sql_fetch_row($result, $dbi);
      sql_free_result($result);

      sql_logout ($dbi);

      header ("Content-Type: image/jpeg");
      echo $echo;

    Now let's analyze the weak points.

    Full Path Disclosure:
    If "$idalbum" and "$idimage" are both unset, then because of the open
    "if/elseif" construction there variable "$result" will be unset or can be
    poisoned through GET/POST/COOKIE. And next call of the "sql_fetch_row()"
    will trigger generic php error messages, leading to full path disclosure.
    Path disclosure is considered as low level security threat, but anyway
    it's useful for further malicious actions.

    Arbitrary File Inclusion:
    This kind of code construction as

    require_once("$DOCUMENT_ROOT/config.php");
    require_once("$DOCUMENT_ROOT/includes/sql_layer.php");

    is not very secure. Depending of the web server software vendor,version
    number and configuration settings it can lead to arbitrary file inclusion
    and possible remote file inclusion.

    SQL Injection bug in "imageview.php":
    Looking at source code, presented above, we can see insecure SQL queries
    directed to the database. To be excact, user submitted variables
    "$idalbum" and/or "$idimage" are used in SQL "SELECT" clause without
    escaping with single quotes. This is clearly sql injection bug. Further
    exploitation will depend on database software and version. In case of the
    MySQL version 4.x with UNION functionality enabled, arbitrary data can be
    retrieved from database, including admin(s) authentication credentials.
    Traditionally, there is the proof of concept:

    Exploit:
    http://localhost/nuke75/modules/Sgallery/imageview.php?idimage=-99/**/UNION/
    **/SELECT/**/pwd/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1

    Best browser to test this proof of concept is Microsoft Internet Explorer
    - it will show plaintext admin password's md5 hash as needed. Firefox and
    other browsers will mostly rendering out "broken picture" because of the
    "Content-Type: image/jpeg" header. But anyway, SQL injection exists, can
    be exploited and must be fixed by vendor as soon as possible.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:come2waraxe@yahoo.com> Janek
    Vind.
    The original article can be found at:
    <http://www.waraxe.us/advisory-39.html>
    http://www.waraxe.us/advisory-39.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Internet Explorer Handling of %20 Allows Spoofing"

    Relevant Pages