Case YVS Image Gallery

http://osvdb.org/show/osvdb/79477

The software "YVS Image Gallery" seems to be full of security issues. For example one can have lots of fun with this. Copy from installation.php:

"""
case(isset($_POST['db_name'])):

$host = $_POST['host'];
$db_name = $_POST['db_name'];
$db_user_name = $_POST['db_user_name'];
$db_password = $_POST['db_password'];

$admin_name = $_POST['admin_name'];
$admin_password = $_POST['admin_password'];

$o_host = $_POST['o_host'];
$o_db_name = $_POST['o_db_name'];
$o_db_user_name = $_POST['o_db_user_name'];
$o_db_password = $_POST['o_db_password'];

//read in the file
$file = "../functions/db_connect.php";
$fh = fopen($file, 'r+');
$contents = fread($fh, filesize($file));

//set up the text to change
$text_to_change = array();
$new_text = array();

$text_to_change[] = '$dbhost="'.$o_host.'"';
$text_to_change[] = '$dbuser="'.$o_db_user_name.'"';
$text_to_change[] = '$dbpass="'.$o_db_password.'"';
$text_to_change[] = '$dbname="'.$o_db_name.'"';

$new_text[] = '$dbhost="'.$host.'"';
$new_text[] = '$dbuser="'.$db_user_name.'"';
$new_text[] = '$dbpass="'.$db_password.'"';
$new_text[] = '$dbname="'.$db_name.'"';

$new_contents = str_replace($text_to_change, $new_text, $contents);
fclose($fh);

// Open file to write
$fh = fopen($file, 'r+');
fwrite($fh, $new_contents);
fclose($fh);

//set up new admin user

include '../functions/db_connect.php';

db_connect();
"""

I'll bet this software is not used much, but I can list all problems I can find if we want to assign CVE-identifiers to cases like these. No contact information of developer found. Any ideas how to get these fixed or get the code out of internet. The package is also hosted in here: http://www.hotscripts.com/listing/yvs-image-gallery/ (and probably others).

- Henri Salo

Relevant Pages

  • Re: argghhh! open file security warning - how to disable???
    ... executables over a network share and keep getting the "open file ... one other factor might be that my network share is on a linux box ... Add file://servername to your IE Local Intranet security zone. ... Where servername is the name of the server that provides the share. ...
    (alt.os.windows-xp)
  • Re: [PATCH] VFS: new fgetattr() file operation
    ... In what way does passing the open file to the filesystem for the ... providing helper functions that the low-layer doesn't want to do ... of users not concerned about too many aspects of security. ...
    (Linux-Kernel)
  • Re: 2 Macs -- 1 File
    ... So an application can request "open file for read" - which should ... My suspicion is that security enforced by the file system would be too slow, ... The MS Office apps are the same. ...
    (uk.comp.sys.mac)
  • Re: argghhh! open file security warning - how to disable???
    ... executables over a network share and keep getting the "open file ... one other factor might be that my network share is on a linux box ... Add file://servername to your IE Local Intranet security zone. ... Where servername is the name of the server that provides the share. ...
    (alt.os.windows-xp)
  • Re: How to remove "Open File - Security Warning" window?
    ... a window would pop up asking me to confirm if I ... wanted to run the program (Open File - Security Warning). ... IE browser displays a security warning drop-down when you use it. ...
    (microsoft.public.windows.vista.general)