A problem exists in True Galerie v1.0 that allows a remote attacker to obtain administrative access to this utility due to misuse of cookies.
d60704ec2fd8a3caefc2462af52a5c5019ab052febae606e69424fa837d5ec1a
Informations :
°°°°°°°°°°°°°°
Language : PHP
Website : http://www.truelogik.net
Version : 1.0
Problems :
- Admin Access
- File Copy
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
verif_admin.php, check_admin.php :
------------------------------------------------------------------------
<?
if(isset($connect)) {
if($connect=="$passadmin") setcookie("loggedin","ok");
if($connect=="no") setcookie("loggedin");
Header("Location: ".$PHP_SELF);
}
$ok = ($loggedin!="");
if($ok) {
echo "<center>";
echo "<table>";
echo "<tr><td align='center'><a
href='?connect=no'>DECONNEXION</a></td></tr>";
echo "</table>";
echo "</center>";
}
else {
echo "<center><form method='post'>";
echo "<table>";
echo "<tr><td align='center'>CONNEXION</td></tr>";
echo "<tr><td align='center'>Password : admin</td></tr>";
echo "<tr><td><input type='password' name='connect'></td></tr>";
echo "<tr><td><input type='submit' value='Login'></td></tr>";
echo "</table>";
echo "</form></center>";
}
?>
------------------------------------------------------------------------
upload.php :
----------------------------------------------------------------------
[...]
$userip = $REMOTE_ADDR;
$pseudo = $_POST['pseudo'];
$message = $_POST['message'];
$email = $_POST['email'];
[...]
if((!$pseudo) || (!$message) || (!$file)) {
[...]
exit;
}
if(!ereg('^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'.
'@'.
'[-!#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.'.
'[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$',
$email))
{
[...]
exit();
}
[...]
if ($file_size >= $MAX_FILE_SIZE)
{
[...]
exit();
}
if($HTTP_POST_FILES['file']['type']=="image/pjpeg") {
$ext="jpg";
}
elseif($HTTP_POST_FILES['file']['type']=="image/gif") {
$ext="gif";
}
if($HTTP_POST_FILES['file']['type']=="image/pjpeg"|$HTTP_POST_FILES['file']['type']=="image/gif")
{
$date = time();
$query = "INSERT INTO $tablegalerie
(cat_id,pseudo,email,url,message,date,clicks,img,userip)
VALUES('$cat_id','$pseudo','$email','$url','$message','$date','','','$userip')";
mysql_query($query);
$id=mysql_insert_id();
$random_name = makeRandomName();
$dest_file="./$folder/$random_name.$ext";
$query = "UPDATE $tablegalerie SET img='$dest_file' WHERE id='$id'";
mysql_query($query);
$res_copy=@copy($file,$dest_file);
@move_uploaded_file($file,$dest_file);
----------------------------------------------------------------------
Exploits :
°°°°°°°°°°
- To be admin :
http://[target]/admin.php?loggedin=1
- To read config.php (with admin password, DB password,...) :
1) Set a cookie named "file" and with the value "config.php" on
http://[target]/form.php
2) Fill the form on this form.php page (the image have to be a real image,
.gif or .jpg !)
3) Submit the form
4) Go on the index, look at your file (the last registered image)
5) Read it : it's config.php.
Patch :
°°°°°°°
A patch can be found on http://www.phpsecure.info .
More Details In French :
°°°°°°°°°°°°°°°°°°°°°°°°
http://www.frog-man.org/tutos/TrueGalerie.txt
frog-m@n
_________________________________________________________________
Utilisez votre MSN Messenger via votre GSM !
http://www.fr.msn.be/gsm/servicesms/messengerparsms