[VulnWatch] True Galerie 1.0 : Admin Access & File Copy

From: Frog Man (leseulfrog_at_hotmail.com)
Date: 04/25/03

  • Next message: Jouko Pynnonen: "[VulnWatch] Buffer overflow in Internet Explorer's HTTP parsing code"
    To: bugtraq@securityfocus.com
    Date: Fri, 25 Apr 2003 14:21:47 +0200
    
    

    Informations :
    같같같같같같같
    Language : PHP
    Website : http://www.truelogik.net
    Version : 1.0
    Problems :
    - Admin Access
    - File Copy

    PHP Code/Location :
    같같같같같같같같같
    verif_admin.php, check_admin.php :

    ------------------------------------------------------------------------

    <?
    if(isset($connect)) {
            if($connect=="$passadmin") setcookie("loggedin","ok");
            if($connect=="no") setcookie("loggedin");
            Header("Location: ".$PHP_SELF);
    }

    $ok = ($loggedin!="");

    if($ok) {
            echo "<center>";
            echo "<table>";
            echo "<tr><td align='center'><a
    href='?connect=no'>DECONNEXION</a></td></tr>";
            echo "</table>";
            echo "</center>";
    }
    else {
            echo "<center><form method='post'>";
            echo "<table>";
            echo "<tr><td align='center'>CONNEXION</td></tr>";
            echo "<tr><td align='center'>Password : admin</td></tr>";
            echo "<tr><td><input type='password' name='connect'></td></tr>";
            echo "<tr><td><input type='submit' value='Login'></td></tr>";
            echo "</table>";
            echo "</form></center>";
    }
    ?>

    ------------------------------------------------------------------------

    upload.php :

    ----------------------------------------------------------------------
    [...]
    $userip = $REMOTE_ADDR;
    $pseudo = $_POST['pseudo'];
    $message = $_POST['message'];
    $email = $_POST['email'];
    [...]
    if((!$pseudo) || (!$message) || (!$file)) {
            [...]
            exit;
    }

    if(!ereg('^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'.
            '@'.
            '[-!#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.'.
            '[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$',
            $email))
            {
            [...]
            exit();
    }

    [...]

    if ($file_size >= $MAX_FILE_SIZE)
            {
            [...]
            exit();
    }

    if($HTTP_POST_FILES['file']['type']=="image/pjpeg") {
            $ext="jpg";
    }
    elseif($HTTP_POST_FILES['file']['type']=="image/gif") {
            $ext="gif";
    }
    if($HTTP_POST_FILES['file']['type']=="image/pjpeg"|$HTTP_POST_FILES['file']['type']=="image/gif")
    {

    $date = time();

    $query = "INSERT INTO $tablegalerie
    (cat_id,pseudo,email,url,message,date,clicks,img,userip)
    VALUES('$cat_id','$pseudo','$email','$url','$message','$date','','','$userip')";

    mysql_query($query);

    $id=mysql_insert_id();
    $random_name = makeRandomName();

    $dest_file="./$folder/$random_name.$ext";

    $query = "UPDATE $tablegalerie SET img='$dest_file' WHERE id='$id'";
    mysql_query($query);

    $res_copy=@copy($file,$dest_file);
    @move_uploaded_file($file,$dest_file);
    ----------------------------------------------------------------------

    Exploits :
    같같같같같
    - To be admin :
    http://[target]/admin.php?loggedin=1

    - To read config.php (with admin password, DB password,...) :
    1) Set a cookie named "file" and with the value "config.php" on
    http://[target]/form.php
    2) Fill the form on this form.php page (the image have to be a real image,
    .gif or .jpg !)
    3) Submit the form
    4) Go on the index, look at your file (the last registered image)
    5) Read it : it's config.php.

    Patch :
    같같같
    A patch can be found on http://www.phpsecure.info .

    More Details In French :
    같같같같같같같같같같같같
    http://www.frog-man.org/tutos/TrueGalerie.txt

    frog-m@n

    _________________________________________________________________
    Utilisez votre MSN Messenger via votre GSM !
    http://www.fr.msn.be/gsm/servicesms/messengerparsms


  • Next message: Jouko Pynnonen: "[VulnWatch] Buffer overflow in Internet Explorer's HTTP parsing code"

    Relevant Pages

    • PHPMyPub (PHP)
      ... Website: http://phpmypub.free.fr ... Problem: Admin access ... PHP Code/Location: ... if ($formulaire) ...
      (Bugtraq)
    • Re: php code embedded inside html page not working.
      ... >Since I dont have admin access to the server or admin person, ... Now I have to go thru echo ... Jochen Daum - Cabletalk Group Ltd. ... PHP DB Edit Toolkit -- PHP scripts for building ...
      (comp.lang.php)
    • php code embedded inside html page not working.
      ... How do I make or workaround in my Apache server to parse *.html files ... Any php code inside *.html or *.htm is ignored. ... Since I dont have admin access to the server or admin person, ...
      (comp.lang.php)
    • gBook
      ... Language: PHP ... Problem: Admin access ... PHP Code: ... if($action == "login") { ...
      (Bugtraq)
    • FrontPage, Integrated Authentication Problem, two domains
      ... Ok, really strange problem. ... No problems opening a website. ... were given Admin access to their corresponding websites, ...
      (microsoft.public.frontpage)