Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
TrueGalerie Authentication Flaw Lets Remote Users Gain Administrator Access to the Application
|
|
SecurityTracker Alert ID: 1006647 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 25 2003
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 1.0
|
Description: Two vulnerabilities were reported in TrueGalerie. A remote user can gain administrative access on the application. A remote user can also read certain files on the system.
It is reported that there is an authentication flaw in the verif_admin.php and check_admin.php scripts. A remote user can reportedly
bypass the authentication checks performed by these scripts by setting the $loggedin variable to '1'. A demonstration exploit URL
is provided:
http://[target]/admin.php?loggedin=1
It is also reported that a remote user can exploit the file upload function
to read certain files on the system with the privileges of the web server. A remote user can set a cookie named 'file' with the
value containing the desired file to be viewed and then submit the upload form. The specified file on the target system will reportedly
be loaded to the gallery (as if it was an image). A remote user can, for example, view the 'config.php' file, which contains passwords.
A
remote user can also bypass file size upload limits by specifying the maximum file size via a POST variable (MAX_FILE_SIZE).
|
Impact: A remote user can gain administrative access on the application.
A remote user can read certain files on the system with the privileges
of the web server. For example, the 'config.php' file, which contains the administrative password and underlying database password,
can be viewed.
|
Solution: No vendor solution was available at the time of this entry. An unofficial patch is available at:
http://www.phpsecure.info/
|
Vendor URL: www.truelogik.net/downloads.php (Links to External Site)
|
Cause: Authentication error, Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Frog Man" <leseulfrog@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 25 Apr 2003 14:21:47 +0200
From: "Frog Man" <leseulfrog@hotmail.com>
Subject: [VulnWatch] True Galerie 1.0 : Admin Access & File Copy
|
Informations :
°°°°°°°°°°°°°°
Language : PHP
Website : http://www.truelogik.net
Version : 1.0
Problems :
- Admin Access
- File Copy
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
verif_admin.php, check_admin.php :
------------------------------------------------------------------------
<?
if(isset($connect)) {
if($connect=="$passadmin") setcookie("loggedin","ok");
if($connect=="no") setcookie("loggedin");
Header("Location: ".$PHP_SELF);
$ok = ($loggedin!="");
if($ok) {
echo "<center>";
echo "<table>";
echo "<tr><td align='center'><a
href='?connect=no'>DECONNEXION</a></td></tr>";
echo "</table>";
echo "</center>";
else {
echo "<center><form method='post'>";
echo "<table>";
echo "<tr><td align='center'>CONNEXION</td></tr>";
echo "<tr><td align='center'>Password : admin</td></tr>";
echo "<tr><td><input type='password' name='connect'></td></tr>"
;
echo "<tr><td><input type='submit' value='Login'></td></tr>"
;
echo "</table>";
echo "</form></center>";
?>
------------------------------------------------------------------------
upload.php :
----------------------------------------------------------------------
[...]
$userip = $REMOTE_ADDR;
$pseudo = $_POST['pseudo'];
$message = $_POST['message'];
$email = $_POST['email'];
[...]
if((!$pseudo) || (!$message) || (!$file)) {
[...]
exit;
if(!ereg('^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'.
'@'.
'[-!#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.'.
'[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$',
$email))
{
[...]
exit();
[...]
if ($file_size >= $MAX_FILE_SIZE)
{
[...]
exit();
if($HTTP_POST_FILES['file']['type']=="image/pjpeg") {
$ext="jpg";
elseif($HTTP_POST_FILES['file']['type']=="image/gif") {
$ext="gif";
if($HTTP_POST_FILES['file']['type']=="image/pjpeg"|$HTTP_POST_FILES['file']['type']=="
image/gif")
$date = time();
$query = "INSERT INTO $tablegalerie
(cat_id,pseudo,email,url,message,date,clicks,img,userip)
VALUES('$cat_id','$pseudo','$email','$url','$message','$date','','','$userip')";
mysql_query($query);
$id=mysql_insert_id();
$random_name = makeRandomName();
$dest_file="./$folder/$random_name.$ext";
$query = "UPDATE $tablegalerie SET img='$dest_file' WHERE id='$id'";
mysql_query($query);
$res_copy=@copy($file,$dest_file);
@move_uploaded_file($file,$dest_file);
----------------------------------------------------------------------
Exploits :
°°°°°°°°°°
- To be admin :
http://[target]/admin.php?loggedin=1
- To read config.php (with admin password, DB password,...) :
1) Set a cookie named "file" and with the value "config.php" on
http://[target]/form.php
2) Fill the form on this form.php page (the image have to be a real image,
.gif or .jpg !)
3) Submit the form
4) Go on the index, look at your file (the last registered image)
5) Read it : it's config.php.
Patch :
°°°°°°°
A patch can be found on http://www.phpsecure.info .
More Details In French :
°°°°°°°°°°°°°°°°°°°°°°°°
http://www.frog-man.org/tutos/TrueGalerie.txt
frog-m@n
_________________________________________________________________
Utilisez votre MSN Messenger via votre GSM !
http://www.fr.msn.be/gsm/servicesms/messengerparsms
|
|
Go to the Top of This SecurityTracker Archive Page
|
